There's a "Signal deanonymized" thing going around:
https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117
Stay calm. Deep breaths.
👉 while this is a real consideration, the only thing the attacker gets from this is a very rough (kilometers or tens of kilometers radius) location
👉 other communication platforms that use any kind of caching CDN to deliver attachments are just as affected
👉 you almost certainly should continue to use Signal, unless you specifically know that this is a big problem for you.
[#]Signal #InfoSec
=> More informations about this toot | More toots from rysiek@mstdn.social
In other words, it's not great that this is possible, but nowhere near an immediate and present danger to anyone except a very very small group of people doing very very specific things.
If you're in that group, you'd already known you are. You'd have someone to ask about this. And you'd almost certainly be using some other tools to anonymize yourself anyway.
If that's not the case, then this is almost certainly not something to lose sleep over. Signal remains a safe choice of a secure IM. 👍
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek It depends.
What actually interests me is the response (or lack of it) from Signal. Seems like not much has changed over there in the last decade. Despite big words and hacker con keynotes they just want to be the new Facebook messenger.
Also there's an easier attack to get your exact egress IP address. It's good to be aware that just having Signal on your phone can reveal it (assuming notifications are enabled).
=> More informations about this toot | More toots from makdaam@chaos.social
@makdaam @rysiek There's nothing for them to say. It's a problem with CloudFlare, so CloudFlare needs to fix it.
=> More informations about this toot | More toots from Avitus@ioc.exchange
@Avitus CloudFlare doesn't mention any guarantees of anonymity of the audience.
Someone made a decision to use their services with all the implications of using it. So either nobody at Signal cares about exposing endpoint IPs (which I believe to be the actual stance - but like @rysiek said let's see if they respond) or they care and didn't check it when using CFlare as a dependency.
Either way it's the integrator's responsibility to check if the chosen components fit the purpose.
=> More informations about this toot | More toots from makdaam@chaos.social
@makdaam @rysiek CloudFlare already fixed the issue and Signal provided a statement to 404 Media: https://www.404media.co/cloudflare-issue-can-leak-chat-app-users-broad-location/
=> More informations about this toot | More toots from Avitus@ioc.exchange
@Avitus @makdaam Cloudflare fixed an issue that allowed the researcher to more easily target individual datacenters.
Signal's statement is behind a loginwall.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek @Avitus @makdaam IIRC, 404 uses a loginwall to prevent AI scraping, for the most part. Anyway, Signal's alleged statement from the article:
=> View attached media | View attached media
=> More informations about this toot | More toots from xgranade@wandering.shop
@xgranade @Avitus @makdaam that's the statement from the gist. I'd like a statement directly from Signal somewhere.
=> More informations about this toot | More toots from rysiek@mstdn.social
@rysiek @Avitus @makdaam Of course agreed. Was only meaning that that's the quote 404 went with.
=> More informations about this toot | More toots from xgranade@wandering.shop
@rysiek @xgranade @makdaam Signal made a direct statement to the bug bounty hunter, which was provided to 404 Media and published. So the statement given to the bug bounty hunter is the statement from Signal.
=> More informations about this toot | More toots from Avitus@ioc.exchange
@Avitus @xgranade @makdaam I would still like to hear more directly from Signal, not via the bounty hunter.
=> More informations about this toot | More toots from rysiek@mstdn.social This content has been proxied by September (3851b).Proxy Information
text/gemini