Signal fixes bug that lets attackers tamper with encrypted messages
Signal, the mobile messaging app recommended by NSA leaker Edward Snowden and a large number of security professionals, just fixed a bug that allowed attackers to tamper with the contents of encrypted messages sent by Android users. The update is available on this Github submission, but isn’t yet available in the Google Play market for Android apps.
The message authentication-bypass vulnerability was one of two weaknesses found by researchers Jean-Philippe Aumasson and Markus Vervier in an informal review of the Java code used by the Android version of Signal. The bug made it possible for attackers who compromised a Signal server or were otherwise able to monitor data passing between Signal users to modify a valid attachment with a fraudulent data. A second bug possibly would have allowed attackers to remotely execute malicious code, but a third bug limited exploits to a simple remote crash.
“The results are not catastrophic, but show that, like any piece of software, Signal is not perfect,” Aumasson wrote in an e-mail. “Signal drew the attention of many security researchers, and it’s impressive that no vulnerability was ever published until today. This pleads in favor of Signal, and we’ll keep trusting it.”