Single post
jump to replies
I smell quite some FUD about the alleged Signal 0day.
The recommendation is to turn off link previews, however link previews are generated on the sender side. Just tested, with link previews turned off you’ll still receive them from a device that sends those.
I think this would mean either:
- Turning off link previews isn’t a sufficient mitigation
or
- The vuln is triggering on the sender side that means someone needs to convince you to create a message containing a malicious link
or
- The whole thing is fake and just a nice troll
6 visible replies; 1 more reply hidden or not public
back to top
@joern link previews are a bad idea anyway, more useless parsing in a secure app, whether on the sender or recipient side. Just like sexy Markdown.
@cynicalsecurity what‘s not-sexy Markdown?
@joern *text* remains *text* ;)
@joern I also stumbled across that odd mitigation. If this ends up holding true it'd still be quite a bad 0day, but much less easily exploitable. But for now, simply being aware of that attack vector is probably hardening enough :-p
@joern Is it unpatched webp or similar?
@joern the http request generated by the link preview contains a (semi) characteristic user agent ("WhatsApp/2"). What I could think of:
- Attacker creates malicious website which delivers content based on the user agent
- Attacker sends link to victim ("this is interesting info!")
- Victim checks link, content looks legit and interesting
- Victim shares link with his friends; now the server delivers payload (user agent matches).