Readit News logoReadit News
jimio commented on Valid Signal privacy issues shrugged off while patches quietly rolled out   403forbiddenblog.blogspot... · Posted by u/Nevor
tptacek · 5 years ago
Am I misreading this, or is this the Signal version of the bug bounty classic "user impersonation vulnerability: if I steal this session token, I can impersonate the user who it belongs to"?
jimio · 5 years ago
no session tokens involved here; we talk about the crypto behind device-to-device transfer in this blog post (https://signal.org/blog/ios-device-transfer/)

and the concepts and UX research surrounding Safety Numbers (what they are, how they're represented, and how we found they bring the most utility to the platform) in these 2016 & 2017 blog posts:

https://signal.org/blog/safety-number-updates/https://signal.org/blog/verified-safety-number-updates/

jimio commented on Valid Signal privacy issues shrugged off while patches quietly rolled out   403forbiddenblog.blogspot... · Posted by u/Nevor
jimio · 5 years ago
(via mobile quickly, same as my tweet replies on this one)

~~

hi there! signal did not start silently rolling out patches because there is nothing here to patch. friday’s releases were part of our regular cadence of shipping features and improvements to the apps.

by design, SNs don't change when doing a signal device transfer or when making a linked device change, because the key material doesn't change. we explained this several times and even added to our support article/FAQ. no behavior here has changed.

j

u/jimio

KarmaCake day42June 5, 2021View Original