Signal Messenger Vulnerability Allows Caller to Auto-Connect with Unaware Recipient

  • Signal vulnerable to an auto-answer exploit, which requires a modified client for the caller.
  • The attacker may activate the microphone of the target device without the recipient realizing it.
  • Signal fixed the flaw in a few hours with a patch to version 4.47.7, so users are urged to update immediately.

Natalie Silvanovich, a Google Project Zero researcher, has discovered a severe flaw in the Android client of the Signal Private Messenger, an app that is trusted by many as the most secure messenger in the world. The scenario of exploitation presupposes the failure of the recipient to answer a call on Signal, which then opens up the door for the caller to force an auto-connection to the call without any interaction on the other end. For this to work, the caller needs to use a modified Signal client, which sends a fake “connect” message, initiating a “handleCallConnected” procedure.

This activates the microphone on the target device, so the caller gets to listen to private conversations without the recipient realizing the fact. The video, however, isn’t accessible through this vulnerability, as the user will have to manually enable video on calls for that. On the iOS version of the messaging app, the auto-connect trick isn’t working because the exploitation procedure causes an error in the UI, following an unexpected sequence of states. So, it’s not a matter of superior security implementation in the iOS version of the app, but rather a matter of “saving the day” luck.

Silvanovich reported the bug to Signal developers, and they quickly confirmed the problem. Proving their accountability once more, it only took them a couple of hours to prepare and push a patch following the report. That said, if you haven’t upgraded to Signal version 4.47.7, you should do so immediately. In general, the researcher mentioned that due to the limitations in WebRTC, Signal has a large remote attack surface. This means that keeping it up to date is your best bet in remaining safe from prying ears.

The open-source Signal app remains our top choice when it comes to private communication, but it certainly isn’t the only available option out there. Other popular messaging apps that feature end-to-end encryption are WhatsApp, Viber, Facebook’s Messenger, Telegram, Skype, Line, Threema, KakaoTalk, Dust, Wickr, and many more. That said, if your trust to Signal has been irreversibly shaken, or if you just want to check out an alternative, you can pick one of the above.

Do you have something to comment on this story? Let us know of your opinion in the section down below, or on our socials, on Facebook and Twitter.



Chinese State-Supported Actors Target India’s Power Grid

Chinese hackers are systematically targeting key power grid units in India, creating disruption when needed.The hackers have been engaging in this activity...

More iPhone 13 Rumors Claim the Existence of 1TB Storage Option

The iPhone 13 is rumored to offer a 1TB storage option on the top of the range.Moreover, the new generation will feature...

‘RuTracker’ Crowdfunds the Seeding of Old and Rare Torrents

Torrent tracking platform ‘RuTracker’ is crowdfunding the expansion of its seeding storage.The site wants to support older, rare, and generally hard-to-find torrents...