We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists.
-
"in a stunning development today, a random mastodon user showed they were able to take over Signal's Signal account. details of the hack remain unclear"
@benroyce @FQQD I know the details:
@signalapp are criminally incompetent like #EncroChat at best if not a #HoneyPot like #ANØM aka. #OperationIronside aka. #OperationTrøjanShield...
-
@FQQD @signalapp quick GET 'EM
-
@Lizette603_23 @signalapp Please stay kind and on topic, alright? Signal is open for feedback in their Discourse Forum.
@voxel @Lizette603_23 @signalapp they refuse to acknowledge that it's their failure by design…
-
@signalapp THERE IS NO LEGITIMATE REASON FOR #Signal TO DEMAND A #PhoneNumber (= #PII by circumstances if not mandatory doxxing to the governments aka. "#KYC")…
- so yes I do blame Signal because this attack vector is unique to #Signal's shittyness and would not exist with @monocles / #monoclesChat or even
cock.liof all places…
@kkarhan@infosec.space since i’ve started hosting services for people, i came to the conclusion that the only thing you will need is an email, and only when there is no other option to reach out to the user.
let’s make it clear to everyone: phone numbers should only be shared to people you trust and nobody else
- so yes I do blame Signal because this attack vector is unique to #Signal's shittyness and would not exist with @monocles / #monoclesChat or even
-
@voxel @Lizette603_23 @signalapp they refuse to acknowledge that it's their failure by design…
@voxel @Lizette603_23 @signalapp instead #Signal continues to peddle their #Shitcoin to this day…
https://www.youtube.com/watch?v=0DSGq9FQKU4 video via @techlore@social.lol / @techlore@techlore.tv / #TechLore
-
@signalapp "SMS codes" sounds like a you problem, though.
@ariarhythmic @signalapp yes, it it #Signal's sole fault!
- Because this attack vector doesn't exist in any halfway decent messenger App / system!
-
@signalapp Since Signal always asks for a PIN code for backups, it seems logical that threat actors are exploiting this behavior to trick users.
@adulau I think this is a deliberate #Govware #Backdoor by @signalapp since others don't do that shite yet offer encrypted backups anyway…
-
@signalapp You know how you could solve that? Stop taking users' phone numbers, and especially stop using it for verification. EZPZ.
@DekOfTheYautja PRECISELY THAT!
- Everyone with two braincells should come to the conclusion that @signalapp / #Signal is.just a successor project to #MINERVA / #Rubikon (aka. #CryptoAG) and #OperationIronside / #OperationTrøjanShield.
- Because otherwise they would've been already shutdown like #EncroChat and not "let run" like #ANØM…
- Everyone with two braincells should come to the conclusion that @signalapp / #Signal is.just a successor project to #MINERVA / #Rubikon (aka. #CryptoAG) and #OperationIronside / #OperationTrøjanShield.
-
While we build robust technical safeguards, user vigilance is ultimately the best defense against phishing. We will continue to work on mitigating these risks via interface design and signposting throughout the app. In the meantime, please stay alert, and never share your SMS verification code or Signal PIN with anyone.
@signalapp It would probably help if Signal itself didn't use what looks like a real conversation or story to communicate to the user. It legitimizes phishing attacks like these. And they're annoying features regardless.
-
@signalapp yes, and you have control over all the #Signal usernames, so it's your failing to prevent thode that happen inside your platform!
- I know that like any decent system you can block keywords and strings from usernames, display names and so forth.
- If not tuey ou truly are criminally incompetent!
@signalapp@mastodon.world @kkarhan@infosec.space I then hereby register myself as incompetent.
First I will just block "Signal Support".
Then I will block all with "Signal" in it, and be hated by "Rescue Signal Inc.", "Weak Signal Detector" and "Signal Noise Ratio". But people will get over it.
Then I will also block Signаl, which looks the same but is encoded differently. Damn russian hackers with their alphabet.
Next Turkish hackers will succeed with their phishing campaign using the name Sıgnal, so I will block those.
And after all this I will sadly witness that people even fall for Signa|, S!gnal, Singal, Sagnil and Signel, so I will block all those too.
In the end the journalist "Jesse Singal" will sue me to death because I blocked them.
I really know no good way to avoid this. Best I can think of is having a special icon only the real Signal support can use - but then people who do not know about it will keep falling for it. - I know that like any decent system you can block keywords and strings from usernames, display names and so forth.
-
Hmmm, and what about the monthly reminder to enter the personal smartphone code? How to differentiate this from the other?
@unaegeli
-That's a different code
-It's very clearly a popup, and not in a chat
-To abuse it, one would already need access to the account, i.e. through having completed the other attackI feel like that reminder is distinct enough as it is
@signalapp -
We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.
@signalapp could you enable Yubikey support for MFA with signal accounts ? A Yubikey is phishing resistant and would stop this kind of attack if a user set it up.
-
We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.
@signalapp If it was robust and not hacked, then this wouldn’t be happening. Even tech help desk folks know this. Why don’t you? #FireSale
-
@solitha
I mean it's hard for some non technical users to make them understand what is the "trusted context" and what is not I suppose?I mean we had that with mail for years, people should know to check the senders mail, yet still Phishing attacks are often successful.
@unaegeli @signalapp@PupWrafie Even a legitimate sender's email is not enough. Wasn't all that long ago that someone managed to send out emails *from* company addresses via a third-party vulnerability.
Scammers will always find a way. It's up to the company to take all reasonable steps to alert customers.
-
To protect people from such phishing, Signal actively warns users against sharing their SMS code and PIN.
We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.
Here an actually precise image ALT text would be crucial.
-
@signalapp You know how you could solve that? Stop taking users' phone numbers, and especially stop using it for verification. EZPZ.
@DekOfTheYautja @signalapp I fear even that won't help, just force phishing attacks to use other channels. We need to convince users to "Trust nothing.". Frankly the odds of being struck by a meteorite are better.
-
To protect people from such phishing, Signal actively warns users against sharing their SMS code and PIN.
We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.
@signalapp Why not change the message to "To setup Signal on your new phone, please enter code ..." to make it absolutely clear what the code is for and create additional friction for scammers as they'll have to come up with an excuse as to why it says new phone.
-
These attacks, like all phishing, rely on social engineering. Attackers impersonate trusted contacts or services (such as the non-existent “Signal Support Bot”) to trick victims into handing over their login credentials or other information. To help prevent this, remember that your Signal SMS verification code is only ever needed when you are first signing up for the Signal app.
@signalapp LOL! The day Signal puts a bot in the app would be the day I stop using it…
-
We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.
@signalapp Can you guys look into better methods to authenticate users other than simple SMS/PIN codes (security keys, passkeys, etc.)? Unfortunately even adding a little warning to not to share the code in the text message may not be enough to prevent these sorts of phishing attacks from happening.
-
@kkarhan@infosec.space since i’ve started hosting services for people, i came to the conclusion that the only thing you will need is an email, and only when there is no other option to reach out to the user.
let’s make it clear to everyone: phone numbers should only be shared to people you trust and nobody else
@gettie @kkarhan there's an obvious problem worldwide for using a telephone number as an identifier for any comms the national govt might not approve of.
Telephone numbers are *not* property owned by the enduser or even the telephone company - they are considered public resources administered by the Communications Ministry of each nation, which does make sense as there's a limited amount of them for each country!
So the govt will *always* feel entitled to investigate what they are used for, the same way there are speed limits, road signs and CCTV on the public street and often more restrictions on what you can do in public places as opposed to a private gathering...
