In the Android version of the secure messenger Signal detected logic error that allows you to spy on users. The vulnerability lies in the fact that criminals can initiate a call and automatically respond to it without the user’s consent. In other words, with the bug you can turn on the microphone on the device and listen to conversations going on nearby.
The problem is similar to that found in the beginning of this year, a bug in Apple FaceTime in iOS also allows you to hear sound and see video from the device of the interlocutor before he will answer the call.
A vulnerability in the Signal detected by the specialist team, Google Project Zero, Natalie Silvanovich a (Natalie Silvanovich), connected with the method handleCallConnected responsible for ending the call connection.
“Normally, the call to [handleCallConnected] occurs in two cases: when the called device accepts the call when the user selects the ‘accept’ or when the calling device receives the message ‘connect’, if the callee accepted the call. Using the modified client may send a message ‘connect’ to the calling device during the call, but before the user accepted it. Therefore, the call will be accepted even without user intervention,” writes the Silvanovich.
As noted, the vulnerability is triggered only when audiosonic, for video calls, this method is not appropriate since the application Signal users need to manually turn on the camera.
Despite the fact that a similar problem exists in the iOS version of the messenger, at risk are only users of the Android version, since iOS client call fails due to an error in the user interface.
Application developers was informed about the problem and fix it several hours later after reporting the researcher. A corrected version of the Signal for Android (4.48.13) is available on GitHub.
Read more •••
Fans of “Game of thrones” from Yakutia gave George Martin the statuette of silver