208
It seems Signal has already pushed out a fix for this, which was abusing the QR codes to actually link a device when it was presenting itself as a way to join a group.
Paywalled: https://www.wired.com/story/russia-signal-qr-code-phishing-attack/
this post was submitted on 20 Feb 2025
208 points (99.1% liked)
Technology
63009 readers
3424 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
What I find particularly concerning is that the were able to "hide javascript commands that link the victim's phone to a new device" in the payload of a qr-code. I can't see any valid use for javascript in the group joining process, I would expect the code to just be a signal URI with the relevant group ID, so is there sone external javascript interface being exposed?
Back to pen and paper it is! Start feeding the pigeons, everyone!
Obligatory link to IPoAC
With 1.5TB capacity micro sd cards available, a pigeon could probably deliver 12-18TB.
This is the way.
Edit: can we also give'em tiny cyberpunk shades and stuff?
Message in a bottle is the way to go.
If hackers don’t know where the bottle is floating, they can’t read the message. It’s also completely disconnected from the Internet, further enhancing the already robust security. This protocol also supports all encryption methods you can fit inside the bottle. There’s no central authority, no servers, no licenses, and no EULAs to accept without reading.
The only bottlenecks are bandwidth, packet loss, and the physical dimensions of the glass container.
You forgot one bottleneck. The bottleneck.
For the landlocked, may I recommend the Dead Drop Protocol? Leave the message in a place that everyone knows about, but only the intended recipients knows a message is there to be read. Like the Message in a Bottle, it supports all encryption methods and is disconnected from the Internet.
There are a couple drawbacks, though. For one, unless you are watching the drop point, you have no way of knowing whether your message made it to the intended recipient or if it was intercepted. Vice versa, if you are the intended recipient of a dropped message, the only guarantee you have that the message is authentic is if the message uses a self-authenticating encryption method. Also, there is a potential that any drop point you use may be under surveillance, so make sure to not use the same drop point too often.
Reliance on security by obscurity is unacceptable, except when the obscurity method is the oceans entire fucking surface area.
And the actual neck of the bottle.