Comment by remus
10 months ago
If you're part of the US government, with access to the most sensitive information which will put people's lives at risk if compromised, then yes this is a vulnerability because "russian GRU agent nicks your phone and scans your signal QR code" is a real threat.
If you're part of the US government, you're not supposed to use signal to discuss this kind of stuff.
Bringing in a phone with decryption keys for this conversation is a risk, then, not just Signal's featureset...
I agree it could be hardening to allow users/organizations to disable this feature, and also other features such as automatic media decoding and other mechanisms that are trade-offs between security and usability, but simply does not meet the definition of a vulnerability (nobody will assign this a CVE number to track the bug and "resolve" it)