Signal bug lets attackers tamper with encrypted messages—patch now

Enlarge

Signal, the mobile messaging app recommended by NSA leaker Edward Snowden and a large number of security professionals, just fixed a bug that allowed attackers to tamper with the contents of encrypted messages sent by Android users.

The authentication-bypass vulnerability was one of two weaknesses found by researchers Jean-Philippe Aumasson and Markus Vervier in an informal review of the Java code used by the Android version of Signal. The bug made it possible for attackers who compromised a Signal server or were otherwise able to monitor data passing between Signal users to replace a valid attachment with a fraudulent one. A second bug possibly would have allowed attackers to remotely execute malicious code, but a third bug made limited exploits to a simple remote crash.

“The results are not catastrophic, but show that, like any piece of software, Signal is not perfect,” Aumasson wrote in an e-mail. “Signal drew the attention of many security researchers, and it’s impressive that no vulnerability was ever published until today. This pleads in favor of Signal, and we’ll keep trusting it.”

Read 6 remaining paragraphs | Comments