Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
infosec.space is one of the many independent Mastodon servers you can use to participate in the fediverse.
A Mastodon instance for info/cyber security-minded people. This instance blocks threads.net

Administered by:

Server stats:

49
active users

infosec.space: AboutPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.0-alpha.4+glitch

Public

There's a "Signal deanonymized" thing going around:
gist.github.com/hackermondev/4

Stay calm. Deep breaths.

👉 while this is a real consideration, the only thing the attacker gets from this is a very rough (kilometers or tens of kilometers radius) location

👉 other communication platforms that use any kind of caching CDN to deliver attachments are just as affected

👉 you almost certainly should continue to use Signal, unless you specifically know that this is a big problem for you.

GistUnique 0-click deanonymization attack targeting Signal, Discord and hundreds of platformUnique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform - research.md
#Signal#InfoSec
*
Quiet public

In other words, it's not great that this is possible, but nowhere near an immediate and present danger to anyone except a very very small group of people doing very very specific things.

If you're in that group, you'd already known you are. You'd have someone to ask about this. And you'd almost certainly be using some other tools to anonymize yourself anyway.

If that's not the case, then this is almost certainly not something to lose sleep over. Signal remains a safe choice of a secure IM. 👍

Quiet public

If you are still worried about this, my read of it is that these things might make the attack more difficult:

👉 turn off automatic downloading of media files

This makes this attack rely on you clicking the image to download it, making it very difficult for the attacker to know when to check for the cached status of the resource.

This is important, because for each attachment the attacker can only ask this question once per the period Cloudflare caches these resources (not sure exactly).

Quiet public

You can also:

👉 turn off push notifications – this makes the attack rely on you clicking the chat to download the image

👉 turn off read receipts – again, this makes it more difficult for the attacker to know when to ask the question they can only ask once per a specific period of time

👉 use Signal over Tor or a VPN to obscure your actual location – the attacker would get the rough location of the exit node

*
Quiet public

Technical details tl;dr:

- Signal (and other communication platforms) uses Cloudflare with caching enabled for media

- one can check on which Cloudflare endpoints a given attachment URL got cached (one can use a VPN for this), giving them the ability to roughly geolocate users whose Signal downloaded the file

- a doctored version of Signal (or whatever app) allows the attacker to send the message with an image, and extract the attachment URL to know what URL to check for having been cached

*
Quiet public

@rysiek Thank you for this summary.

BTW, does using a trusted proxy in Signal help to mitigate this issue?

Explore
About