Comment by stavros
8 months ago
You guys are forgetting that you have to scan the QR code from Signal's "link new device" menu, and then approve the new device, which is a somewhat uncommon thing for a restaurant menu to ask you to do.
8 months ago
You guys are forgetting that you have to scan the QR code from Signal's "link new device" menu, and then approve the new device, which is a somewhat uncommon thing for a restaurant menu to ask you to do.
That’s one way, but.
https://thehackernews.com/2025/02/hackers-exploit-signals-li...
“… the threat actors, including one it's tracking as UNC5792, have resorted to malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance.”
“ These QR codes are known to masquerade as group invites, security alerts, or legitimate device pairing instructions from the Signal website.”
Also
“ Last week, Microsoft and Volexity also revealed that multiple Russian threat actors are taking advantage of a technique called device code phishing to log into victims' accounts by targeting them via messaging apps like WhatsApp, Signal, and Microsoft Teams.”
That's just phishing.
Signal could make the pairing attack impossible by eliminating the device pairing feature, but that would also reduce its appeal and harm its mission of bringing secure communication to a broad audience. It could add steps to setting up a group chat and inviting additional members to make it less likely users will invite the wrong person, but that, too would hurt its popularity.
Security is a process and a spectrum, not a binary that can be guaranteed by using a certain product or service.
The goal of US information security is not making an app more popular. It's keeping secrets safe.
In that view, Signal is the wrong app to use for US Officials.
3 replies →