top | item 43511946

(no title)

cottsak | 11 months ago

I find "bypassing end-to-end encryption" to be misleading... as if somehow the e2e encryption in Signal is somehow broken or flawed.

This "social engineering" hack? is simply allowing a 3rd party to gain access to another persons account and "snoop" on their secured messages/calls.

Pls correct me if I'm reading this wrong.

discuss

ranger_danger|11 months ago

No you're right, this is basically just phishing.

However, I think there is a real possibility that the Signal code (of which the public appstore versions are NOT fully open-source) could be modified to save/transfer messages after they have been decrypted, basically circumventing the whole point of e2ee... which is why having control over the client code is essential.

I suggest either building Signal yourself, using only verified reproducible builds without any binary blobs, or switching to the Molly-FOSS fork.

ajross|11 months ago

It's not clear. The relevant text seems to imply that an attacker can link their own device to a target account via providing a malicious URL (vs. commandeering an already-legitimately-linked device, which I guess is what you're imagining). That sounds like a legitimate flaw. But there are no details.

MattPalmer1086|11 months ago

No, bypass means to go around, not to break. So this is correct terminology. By adding devices into a chat, you get to see the plaintext messages, thus bypassing the protection provided by the end to end encryption.