It’s worth mentioning that this is not an issue in Signal’s code, but due to WebRTC doing DNS requests. From our investigation, the affected Android versions are Signal v4.59.0 and up, while for iOS the affected WebRTC update was introduced in 3.8.0.34.įor certain Signal users, this issue could be quite serious, while average users aren’t as likely to be impacted. Signal is an open source application and due to our disclosure policy, we disclose issues once any patch or information pertaining a vulnerability goes public, such as this case. The Signal team let us know that updated versions for Android and iOS will be available. Revealing a Signal user’s DNS server can potentially reveal coarse location, but as we will later see, in instances such as Google Public DNS (8.8.8.8/8.8.4.4) and others, this attack can narrow the location down to the Signal user’s city due to usage of EDNS Client Subnet. So this month, when I disclosed a way to leak a user’s DNS server simply by ringing their Signal number (CVE-2020–5753), I was happy to see how fast they patched it. Even Edward Snowden, the well known American Whistleblower, claims “I use Signal every day.” Signal Private Messenger’s ease of use, multiplatform support, and end-to-end encryption for both text and calls have attracted millions of users per day. UPDATED : The blog post was updated to reflect the availability of updated versions of Signal on the Google Play Store and Apple App Store.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |