Instance Logo

threatactor.club

joernchen :cute_dumpster_fire: . @joern,

I smell quite some FUD about the alleged Signal 0day.

The recommendation is to turn off link previews, however link previews are generated on the sender side. Just tested, with link previews turned off you’ll still receive them from a device that sends those.

I think this would mean either:

  • Turning off link previews isn’t a sufficient mitigation

or

  • The vuln is triggering on the sender side that means someone needs to convince you to create a message containing a malicious link

or

  • The whole thing is fake and just a nice troll
Open thread
Skyr . @skyr, @chaos.social

@joern the http request generated by the link preview contains a (semi) characteristic user agent ("WhatsApp/2"). What I could think of:
- Attacker creates malicious website which delivers content based on the user agent
- Attacker sends link to victim ("this is interesting info!")
- Victim checks link, content looks legit and interesting
- Victim shares link with his friends; now the server delivers payload (user agent matches).

Open thread
lj·rk @ 38C3 . @ljrk, @todon.eu

@joern I also stumbled across that odd mitigation. If this ends up holding true it'd still be quite a bad 0day, but much less easily exploitable. But for now, simply being aware of that attack vector is probably hardening enough :-p

Open thread
nathan fain . @nat, @kitty.town

@joern have you heard ANYTHING from a knowledgeable source? because I've only been getting it through activist circles which makes me think its some false flag or a well intentioned privacy suggestion (don't reveal your IP, turn off previews) that turned into its own monster

Open thread