Anyone can track WhatsApp and Signal users' activity, knowing only their phone number: "Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers" (arxiv.org)
from cypherpunks@lemmy.ml to privacy@lemmy.ml on 22 Dec 19:20
https://lemmy.ml/post/40673017

This is a year-old paper but now there is an easy-to-use implementation of the attack: github.com/gommzystudio/device-activity-tracker

Signal developers’ verdict is WONTFIX: github.com/signalapp/Signal-Android/pull/14463

#privacy

threaded - newest

ThatGuyNamedZeus@feddit.org on 22 Dec 19:32 next collapse

You can’t avoid being monitored on whatsapp, on signal however, just be careful about what you download and be sure to have a good antivirus running and up to date on your devices

cypherpunks@lemmy.ml on 22 Dec 19:45 collapse

those best practices don’t mitigate the attack in this paper

ryannathans@aussie.zone on 23 Dec 00:25 next collapse

You can literally turn off read receipts in signal

cypherpunks@lemmy.ml on 23 Dec 01:59 collapse

You can literally turn off read receipts in signal

But you can’t turn off delivery receipts, which is what this attack uses.

ryannathans@aussie.zone on 23 Dec 03:01 collapse

But you can turn off sealed sender messages from anyone, so they’d have to already be a trusted contact

cypherpunks@lemmy.ml on 23 Dec 03:36 collapse

But you can turn off sealed sender messages from anyone, so they’d have to already be a trusted contact

The setting to mitigate this attack (so that only people who know your username can do it, instead of anybody who knows your number) is called Who Can Find Me By Number. According to the docs, setting it to nobody requires also setting Who Can See My Number to nobody. Those two settings are both entirely unrelated to Signal’s “sealed sender” thing, which incidentally is itself cryptography theater, btw.

juko_kun@sh.itjust.works on 23 Dec 16:50 next collapse

Is there any reason to use Signal over Matrix?

tomenzgg@midwest.social on 23 Dec 17:37 collapse

soatok.blog/…/security-issues-in-matrixs-olm-libr…

This is the most strongly writeup I know of (whether it’s something you, likewise, find worth being wary about is, naturally, up to you, though).

Screen_Shatter@lemmy.world on 23 Dec 17:12 collapse

I remember trying to sign up for signal and stopped when it wanted my phone number. It’s no longer anonymous at that point. When I talk about it theres always people who come at me about it being secure and whats my attack vector? Well, its not secure. My vector is a desire to be anonymous, and clearly the anonymity this presents is a facade.