Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mstdn.social/users/rysiek/statuses/114030757487737424">Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 19-Feb-2025 22:30:11 JST</a><a href="https://mstdn.social/@rysiek" title="rysiek@mstdn.social"><img src="https://gnusocial.jp/avatar/13472-48-20221025105231.webp" width="48" height="48" alt='Michał "rysiek" Woźniak · 🇺🇦' style="position: absolute; left: 0; top: 0;">Michał "rysiek" Woźniak · 🇺🇦</a><div><a href="https://mstdn.social/@rysiek/114030735392499599" rel="in-reply-to">in reply to</a></div></section><article><p>Technical details in the report:<br><a href="https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger" rel="nofollow noreferrer">https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger</a></p><p>The tl;dr is:</p><p>Signal uses https://signal[.]group/#hash-fragment links in QR codes that allow people to join groups. Group identifier is in the hash-fragment.</p><p>The link loads in a browser first. A bit of JS redirects it to a sgnl://signal[.]group/hash-fragment link that is then handled directly by Signal app on mobile.</p><p>Malicious QR codes use a different domain (list in the report) and redirect to a sgnl://linkdevice URL instead.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4592913#notice-8991300">In conversation</a><time datetime="2025-02-19T22:30:11+09:00" title="Wednesday, 19-Feb-2025 22:30:11 JST">about 4 months ago</time> <span>from <span><a href="https://mstdn.social/@rysiek/114030757487737424" rel="external" title="Sent from mstdn.social via ActivityPub">mstdn.social</a></span></span><a href="https://mstdn.social/@rysiek/114030757487737424">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messengerThe">Google Cloud Blog</a></h5><div></div></header><div></div><footer></footer></article></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4164890">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 19-Feb-2025 22:30:11 JST Michał "rysiek" Woźniak · 🇺🇦
in reply to
Technical details in the report:
https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
The tl;dr is:
Signal uses https://signal[.]group/#hash-fragment links in QR codes that allow people to join groups. Group identifier is in the hash-fragment.
The link loads in a browser first. A bit of JS redirects it to a sgnl://signal[.]group/hash-fragment link that is then handled directly by Signal app on mobile.
Malicious QR codes use a different domain (list in the report) and redirect to a sgnl://linkdevice URL instead.
In conversationabout 4 months ago from mstdn.socialpermalink
Attachments
1. No result found on File_thumbnail lookup.
  Google Cloud Blog
2. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice