Comment by lucb1e
8 months ago
> There’s a vulnerability in Signal where you can set up linked devices that replicate your signal messages.
You mean the desktop linking feature? If that's considered a vulnerability, then so is being able to chat with someone after getting their public key unverified from an overseas server, the primary mode in which everyone uses it (including the people in this chat, evidently, since no out-of-band key exchange was performed)...
Not to mention the "vulnerability" where you copy the phone's storage and get the key material onto another device to do with what you will, which may be harder or easier depending on the hardware but I'd trust any sufficiently funded security agency to be able to do this for common devices
If you're part of the US government, with access to the most sensitive information which will put people's lives at risk if compromised, then yes this is a vulnerability because "russian GRU agent nicks your phone and scans your signal QR code" is a real threat.
If you're part of the US government, you're not supposed to use signal to discuss this kind of stuff.
Bringing in a phone with decryption keys for this conversation is a risk, then, not just Signal's featureset...
I agree it could be hardening to allow users/organizations to disable this feature, and also other features such as automatic media decoding and other mechanisms that are trade-offs between security and usability, but simply does not meet the definition of a vulnerability (nobody will assign this a CVE number to track the bug and "resolve" it)