Before we start to panic, in all fairness, cybersecurity and its current state and almost every application contains security vulnerabilities. Some of which you may find today, but others would remain undiscovered until someone else finds ways and exploits them—which is inevitable.
Signal Private Messenger—promoted as one of the most secure messengers in the world isn’t any exception.
Natalie Silvanovich, a Google Project Zero researcher, has discovered a serious flaw in the Android client of the Signal Private Messenger, an app that is trusted by many as the most secure messenger in the world. The scenario of exploitation presupposes the failure of the recipient to answer a call on Signal, which then opens up the door for the caller to force an auto-connection to the call without any interaction on the other end. For this to work, the caller needs to use a modified Signal client, which sends a fake “connect” message, initiating a “handleCallConnected” procedure.
This in return activates the microphone on the target device, the caller gets to listen to private conversations without the recipient realizing. The video feature, however, is not accessible through this vulnerability, as the user will have to manually enable video on calls for that. On the iOS version of the messaging app, the auto-connect trick is not working as the exploitation procedure causes an error in the UI, following an unexpected sequence of states.
Silvanovich reported the bug to Signal developers, and they quickly confirmed the problem. They pushed a patch following the report that said, if you have not upgraded to Signal version 4.47.7, you should do so immediately. In general, the researcher mentioned that due to the limitations in WebRTC, Signal has a large remote attack surface. This means that always updating the app is your best bet in remaining safe from prying ears.
Signal app may be a popular choice when it comes to private communication, but it certainly isn’t the only available option out there. Other popular messaging apps that feature end-to-end encryption are WhatsApp, Viber, Facebook’s Messenger, Telegram, Skype, Line, Threema, KakaoTalk, Dust, Wickr, and many more. If your trust to Signal has been irreversibly shaken, or if you just want to check out an alternative, you can pick one of the above mentioned to your suitability.
Source: Technadu, 5 Oct 2019 [ hyperlink : https://www.technadu.com/signal-vulnerability-caller-auto-connect-unaware-recipient/81918/ ]