A cybersecurity specialist has discovered strange numbers in his trusted contact list.
Cybersecurity specialist Adam Donenfield shared in X an unusual failure that he encountered when using the Signal messenger.
The crux of the problem was that unknown users under the general name "Signal Connection"were added to Donenfield's list of trusted contacts without his knowledge. In addition, two VoIP call attempts were recorded, which added to suspicions that what was happening was non-standard.
Third-party contacts added to the Donenfield list
According to Donenfield, the glitch led to the appearance and subsequent blocking of contacts that had an identical name. Initially, there were about 20 such anomalies in its list, but then suddenly there were more than 100 of them when you log in to the app later. Donenfield also linked the VoIP calls that occurred to potential failures or errors in the VoIP stack, which could indicate the presence of a zero-day vulnerability.
Interestingly, similar problems were observed in a number of users in Russia, which indicated a wide range of impacts of this problem.
Meredith Whittaker, head of Signal, explained that what is happening is not the result of a targeted Zero-Click attack, but rather the result of an error in the implementation of privacy settings, when the phone number was inadvertently associated with the user's name. Whittaker assured that the development team is already working to fix the problem.
Donenfield clarified that he used the latest versions of both programs: iOS 17.4 and Signal 7.2, and mentioned that updates correcting these shortcomings were released the very next day after the problem was discovered.
An important innovation introduced in March of this year in Signal 7.0 was the function of using nicknames instead of phone numbers. This feature was tested in February on a limited number of users and is now available to everyone, allowing you to communicate in the messenger without revealing your real phone numbers.
Cybersecurity specialist Adam Donenfield shared in X an unusual failure that he encountered when using the Signal messenger.
The crux of the problem was that unknown users under the general name "Signal Connection"were added to Donenfield's list of trusted contacts without his knowledge. In addition, two VoIP call attempts were recorded, which added to suspicions that what was happening was non-standard.
Third-party contacts added to the Donenfield list
According to Donenfield, the glitch led to the appearance and subsequent blocking of contacts that had an identical name. Initially, there were about 20 such anomalies in its list, but then suddenly there were more than 100 of them when you log in to the app later. Donenfield also linked the VoIP calls that occurred to potential failures or errors in the VoIP stack, which could indicate the presence of a zero-day vulnerability.
Interestingly, similar problems were observed in a number of users in Russia, which indicated a wide range of impacts of this problem.
Meredith Whittaker, head of Signal, explained that what is happening is not the result of a targeted Zero-Click attack, but rather the result of an error in the implementation of privacy settings, when the phone number was inadvertently associated with the user's name. Whittaker assured that the development team is already working to fix the problem.
Donenfield clarified that he used the latest versions of both programs: iOS 17.4 and Signal 7.2, and mentioned that updates correcting these shortcomings were released the very next day after the problem was discovered.
An important innovation introduced in March of this year in Signal 7.0 was the function of using nicknames instead of phone numbers. This feature was tested in February on a limited number of users and is now available to everyone, allowing you to communicate in the messenger without revealing your real phone numbers.
