It seems Signal has already pushed out a fix for this, which was abusing the QR codes to actually link a device when it was presenting itself as a way to join a group.
-
It seems Signal has already pushed out a fix for this, which was abusing the QR codes to actually link a device when it was presenting itself as a way to join a group.
Paywalled:
https://www.wired.com/story/russia-signal-qr-code-phishing-attack/ -
It seems Signal has already pushed out a fix for this, which was abusing the QR codes to actually link a device when it was presenting itself as a way to join a group.
Paywalled:
https://www.wired.com/story/russia-signal-qr-code-phishing-attack/ -
It seems Signal has already pushed out a fix for this, which was abusing the QR codes to actually link a device when it was presenting itself as a way to join a group.
Paywalled:
https://www.wired.com/story/russia-signal-qr-code-phishing-attack/What I find particularly concerning is that the were able to "hide javascript commands that link the victim's phone to a new device" in the payload of a qr-code. I can't see any valid use for javascript in the group joining process, I would expect the code to just be a signal URI with the relevant group ID, so is there sone external javascript interface being exposed?
-
System shared this topic onSystem shared this topic on