Signal App Update Fixes Eavesdropping Bug
Today there's a rather important update to the app Signal if you're particularly set of protecting your privacy. Since one of Signal's main draw points is the privacy of its communications app, it's rough to see any sort of breakdown of that functionality. However, chances are extremely small that any user was the victim of this bug, and the bug is already fixed – so long as you've got the latest version of the app.
The folks at Project Zero on Google's Chromium bug reporting station reported that the disclosure deadline is now ended and their report is now public. Per any such reporting of a bug of this caliber, it's standard protocol to report directly to the people who develop the app in the first place, then a waiting period abided by before disclosure to the public. This allows the developers of the app to fix the bug before it's made common knowledge.
The bug appeared in the process involved in calling – with the Android version of the Signal app. This situation used the "handleCallConnected" system in the app that normally causes a call to finish connecting. "Using a modified client, it is possible to send the "connect" message to a callee device when an incoming call is in progress, but has not yet been accepted by the user." So said Natashenka at Google with Project Zero.
According to the developer and bug hunter Natashenka, "The iOS client has a similar logical problem, but the call is not completed due to an error in the UI caused by the unexpected sequence of states." However, it's just as important that this version of the app be update on iOS since it's possible the UI "problem doesn't occur in all situations."
It's recommended that everyone that uses the Signal app head to their respective app stores to update the app immediately. If you've got automatic app updating switched on, you'll probably already have the update, and you'll be good to go – good on you.