Search This Blog

Showing posts with label Signal. Show all posts

Signal Patches Zero-Day Bug in its Android App

 

Signal has patched a critical flaw in its Android app that, in some circumstances, sent random unintended images to contacts without an obvious explanation. 

The flaw was first reported in December 2020 by Rob Connolly on the app's GitHub page. Despite being known for months, Signal has fixed the bug only recently. While the team faced a backlash over this delay, Greyson Parrelli, Signal’s Android developer confirmed fixing the bug recently. As per his response on the same GitHub thread, Signal has patched the flaw with the release of the Signal Android app version 5.17. 

When a user sends an image via the Signal Android app to one of his contacts, the contact would occasionally receive not just the selected image, but additionally a few random, unintended images, that the sender had never sent out, Connolly explained. 

“Standard conversation between two users (let’s call them party A and party B). Party A shares a gif (from built-in gif search). Party B receives the gif, but also some other images, which appear to be from another user (party A has searched their phone and does not remember the images in question). Best case the images are from another contact of B and messages got crossed, worst case they are from an unknown party, who's [sic] data has now been leaked,” Connolly told while describing the flaw. 

At this time, the flaw seems to have only impacted the Android version of the app. Signal Android app users should update to the latest version of the app, available on the Google Play store, researchers advised.

Last year in May 2020, cybersecurity researchers at Tenable discovered a flaw in the secure messaging app Signal which allowed threat actors to track user’s locations. Threat actors can track user’s movements just by calling their Signal number — whether or not the user had his contact information. This could be a big problem for victims of stalking, or for activists and journalists who are trying to avoid government or law enforcement detection to leak information or act in a whistleblower capacity, researcher David Wells wrote.

“That feature is not well advertised, and it’s interesting that someone could disclose your location if they’re your contact. Let’s say I have a burner phone and I just ring your phone, and I do it so quickly that all you see is a missed call from some number. Usually, it’ll be somewhat near you. So, I can force that DNS server [near you] to talk to me. By getting that information, I know what DNS server you’re using and I can determine your general location,” Wells explained.

WhatsApp's New Privacy Policy: A Quick Look

 



With the advent of its latest privacy policy, the Facebook-owned messaging app is all set to block certain features if the users won't agree to the new privacy policy.

The update that was initially set to be rolled out by February 8 – making new privacy regulations applicable for all its users, got delayed till May 15 as WhatsApp faced strong contempt from the public, which allowed its competitors namely Telegram and Signal to solidify their repute with the public.

Earlier, as per the ultimatum given by WhatsApp: if the users do not accept the updated privacy policy on May 15, they won't be able to use the app. However, later on, it was said that no accounts will be deleted in case the aforementioned does not happen. 

Giving insights into the new Privacy Policy, a WhatsApp spokesperson said, “Requiring messaging apps to “trace” chats is the equivalent of asking us to keep a fingerprint of every single message sent on WhatsApp, which would break end-to-end encryption and fundamentally undermines people’s right to privacy.”

“We have consistently joined civil society and experts around the world in opposing requirements that would violate the privacy of our users. In the meantime, we will also continue to engage with the Government of India on practical solutions aimed at keeping people safe, including responding to valid legal requests for the information available to us,” the Spokesperson added.

WhatsApp told that it is not imposing its new policy on the users and that they are free to not do so. However, it might involve users deleting their WhatsApp account on their own as the other option than to accept the 2021 update, because they won't be able to access their chat lists or call their contacts via WhatsApp. 

As per WhatsApp's statements, we can deduce that whenever users will access the app, they will be constantly reminded to accept the updated privacy policy to access all its features – eventually making the platform more or less unserviceable to them. 

The users who do accept the updated privacy policy won't witness any key changes in their experience, however, those who continue to have the app installed on their device without accepting the new policy might eventually end up saying goodbye to the app due to its limited serviceability or “inactivity”. 




Signal Taunts WhatsApp as Confusion Looms Large Over its New Privacy Policy

 

WhatsApp will take action against users who have not approved the privacy policy though it will not delete users' accounts instead it will disable certain essential features, as per the announcement. Users are still skeptical about adopting the privacy policy because there isn't enough clarity about what it really means. Meanwhile, Signal, a secure messaging app, has taken full advantage of the ability to draw users to its own site. 

WhatsApp announced a few days before the May 15 deadline, which was dreaded by many, that it would not remove users' accounts if they did not approve the privacy policy by that date. By posting a cheeky update on Twitter today, WhatsApp reminded users that their accounts will not be deleted.

“*checks calendar. pours coffee*. OK. Let’s do this. No, we can’t see your personal messages. No, we won’t delete your account. Yes, you can accept at any time,” WhatsApp wrote on Twitter. 

Signal which is an arch competitor of WhatsApp retweeted the post and wrote, “*checks calendar. pours coffee.* Today’s a great day to switch to privacy.” 

After the announcement of its revised privacy policy, WhatsApp has been bombarded with complaints from users. Users were first notified about it in January with an in-app update, with a deadline of February 8 to approve the privacy policy. 

However, users were outraged by the lack of clarification, and the majority of them moved to other messaging apps such as Signal and Telegram. Users thought WhatsApp would share users' private conversations with Facebook, forcing the company to push back the launch date to May 15. 

The terms and conditions, however, have now been modified. WhatsApp had previously issued users an ultimatum to accept the privacy policy in order to continue using the app, but it has now confirmed that the account would not be deleted. Though WhatsApp may not delete the account, it will deactivate certain features and transform the app into a dummy app. 

WhatsApp told The Guardian in a statement, “After a few weeks of limited functionality, you won’t be able to receive incoming calls or notifications and WhatsApp will stop sending messages and calls to your phone. At that point, users will have to choose: either they accept the new terms, or they are in effect prevented from using WhatsApp at all.”

New Vulnerabilities in Cellebrite's Tools Discovered by a Researcher

 

Signal, the messaging app that has recently become a new focus for Cellebrite's data-collection tools for law enforcement, raised the question late last month. 

Moxie Marlinspike, the creator of Signal, claimed that software flaws discovered in Cellebrite's tools could be used to tamper with facts. As a result, one lawyer has already requested a new trial. But Marlinspike isn't the only one who has scrutinized Cellebrite's gadgets. At the Black Hat Asia conference on Friday, Matt Bergin of KoreLogic will present his latest findings, which are related to Cellebrite's Universal Forensic Extraction Device, or UFED. KoreLogic's senior information security researcher, Bergin, claims to have discovered three vulnerabilities in UFED.

Despite the fact that Cellebrite has now fixed those problems, Bergin believes that forensics software should be placed through rigorous penetration testing to find bugs that might jeopardize proof. Bergin will also display up Lock Up, an Android app he created that can factory reset a phone if it detects Cellebrite software attempting to copy data. All of his research stems from a fear that Cellebrite's forensic instruments might be tampered with by bad actors, resulting in the false accusation of innocent people. 

"My whole goal for this project was to really highlight the fact that forensics tools are not immune to software vulnerabilities. And those issues, when exploited, do have real-life implications for people. That could be the rest of your life in jail," Bergin stated. 

Bergin obtained an inside look at how the UFED starts probing devices by cracking its cryptography. He was also able to write detection signatures for how UFED communicates with a target system as a result of this experience. He then developed Lock Up, an Android application. Bergin states he will not release Lock Up because he does not want to obstruct legal law enforcement investigations. 

However, he plans to make the source code accessible, as well as the indicators of compromise, which are checksums and hashes of files that Cellebrite's UFED installs on devices before collecting data.

Cellebrite also fixed CVE-2020-12798, a privilege escalation flaw, as well as CVE-2020-14474, an issue in which Cellebrite left hard-coded keys for encrypted data right next to the encrypted data. Given the value of digital evidence's credibility, Bergin believes the software should be expanded to include penetration tests. "We need functional testing, and we need security testing," he states "It should be part of the CFTT process before any evidence collected by these tools can be used in a court of law." 

There are also questions about supply chain tampering. Bergin and Marlinspike's results, according to Hank Leininger, co-founder of KoreLogic, have raised doubts about the factuality of data. Self-integrity checks could provide some assurance that software hasn't been manipulated, he added.

Another way Cellebrite might strengthen its procedures is to issue influential public notices detailing newly found and patched vulnerabilities. "Airing your own dirty laundry after you've washed it is a good way to create trust in your security commitment," says Leininger.

WhatsApp Clients Resort to Other Messaging Platforms

 

WhatsApp has told its two billion clients they should permit it to share information with its parent organization Facebook if they wish to keep utilizing it. All WhatsApp clients would not be able to proceed with the service except if they accept the new terms by 8 February. The stage said the update will empower it to offer features, for example, shopping and payments. 

Message platforms Signal and Telegram have both seen a gigantic surge in downloads around the world over after a questionable update to WhatsApp's terms and conditions. 

As per information from analytics firm Sensor Tower, Signal was downloaded all around the world multiple times the week before WhatsApp declared the change on 4 January and 8.8 million times the week after. This included big surges in India, where downloads went from 12,000 to 2.7 million, the UK from 7,400 to 191,000, and the US from 63,000 to 1.1 million. In a progression of tweets, Signal said a few people were detailing issues with creating groups and postponements to verification codes showing up in light of the fast development but that it was addressing the issues. 

Telegram has proved to be even more popular, with downloads booming all around the world from 6.5 million for the week starting 28 December to 11 million over the next week. In the UK, downloads went from 47,000 to 101,000. Furthermore, in the US they went from 272,000 to 671,000. During the same period, WhatsApp's worldwide downloads shrank from 11.3 million to 9.2 million. 

One industry watcher said he didn't think this fundamentally spoke to a major issue for WhatsApp, which has been downloaded 5.6 billion times since its launch in 2014. 

"It will be hard for opponents to break user habits, and WhatsApp will keep on being one of the world's most popular and broadly utilized messaging platforms," said Craig Chapple, mobile insights strategist at Sensor Tower. 

WhatsApp reassured its clients that it doesn't keep logs of every individual who is messaging, it can't see your shared location, it doesn't share your contacts to Facebook, and that groups can stay private. It likewise exhorts clients that they actually have the choice to set messages to disappear and that they can't download their information. WhatsApp's clarification may figure out how to reassure a few clients that the privacy changes aren't as troubling as first dreaded, yet for other people, it might have come past the point of no return.

Alert! The Days of WhatsApp Are Gone? Stronger Competitor In The Market!


Joy all around for the social media fanatics who had gotten quite bored of WhatsApp being their only source of incessant chatting provisions. And to those as well who felt unsafe because of the recent spyware that hit the beloved social media chat application.

The word around is that a recently surfaced social media chat application could give strong competition to the Facebook-owned social media service.

The users were already quite disconcerted about the recent cyber threat that hit WhatsApp and were in desperate need of any substitute to satisfy their daily social cravings.

The celebrated application goes by the name of “Signal”. Its unique characteristic is its keen focus on the privacy of the users.

Per sources, Signal has planned out to move towards the big market and go “main-stream”, owing it to the substantial monetary support it received from WhatsApp’s co-founder.

The financial backing is to facilitate “Signal” in getting better features and attracting the attention of people who are sort of done with using WhatsApp and are in want of other options, for whatever reasons.

Reports mention that the launcher of ‘Signal’ had continually been working on getting everyone access to encrypted communications without much fuss.

Now it finally is time for Signal to enter the world it was originally created for in the first place. It is a revolutionized effort at forming a more secure cyber-space for the people.

With key agendas like privacy and cyber-security being the central constituents of Signal, the application is sure to win a lot of hearts.

In recent times WhatsApp has been all over the place because of the alleged cyber threats, like spyware, it has been leaving its users open to. Because of which people’s trust over it has been withering gradually.

Per valid sources, Signal is special because it is encrypted from end-to-end. Its servers do not store any sort of “conversation metadata” on them. This especially was quite a hefty task for the developers to work their way around. They also had to work on enabling “group administration” to let people add and remove members without the servers’ knowledge. But they did it.

Hence, at a time like this, Signal is a very welcome blessing for social media fanatics who have become so used to social applications that they can’t imagine their lives without them.

ICQ and Signal are the most secure messengers in Russia, says Vladimir Zykov


Vladimir Zykov believes that ICQ messenger is safer than WhatsApp, but this does not solve the problems. iOS and Android operating systems contain many vulnerabilities that are exploited by hackers.

Choosing a messenger for use, Russians are guided mainly by the advice of friends and their own feelings, said Vladimir Zykov, head of the Association of Professional Network Users and Messengers. The expert is sure that ICQ and Signal messengers are the safest in Russia. But few people use them.

In General, any messenger for a smartphone does not guarantee absolute security, because a vulnerable operating system controls the messenger.

"But if you choose secure mobile software, then the probability of hacking, of course, decreases," said the expert.

According to the expert, the situation is due to the fact that most applications run on mobile devices running the operating systems iOS and Android, developed by American companies Apple and Google. Therefore, they have access to Russian accounts.

"That is, in fact, their owners can connect to your phone and calmly watch from the screen everything that you have there," said he.

Earlier, the creator of Telegram and VKontakte Pavel Durov sharply criticized Facebook. The entrepreneur is unhappy with the protection of information in the WhatsApp messenger.
According to Durov, the application is a kind of Trojan that are not connected in any way with the messenger. This is due to the policy of the American company, which deliberately leaves security vulnerabilities.

WhatsApp, at the same time, is one of the most common messengers among Russians. In addition to it, the Viber application is popular. However, as experts say, these services do not really have high security.