Russia-aligned hackers are targeting Signal users with device-linking QR codes

solo@slrpnk.net · 1 day ago

Russia-aligned hackers are targeting Signal users with device-linking QR codes

The Hobbyist@lemmy.zip · 1 day ago

It seems Signal has already pushed out a fix for this, which was abusing the QR codes to actually link a device when it was presenting itself as a way to join a group.

Paywalled: https://www.wired.com/story/russia-signal-qr-code-phishing-attack/

notabot@lemm.ee · 1 day ago

What I find particularly concerning is that the were able to “hide javascript commands that link the victim’s phone to a new device” in the payload of a qr-code. I can’t see any valid use for javascript in the group joining process, I would expect the code to just be a signal URI with the relevant group ID, so is there sone external javascript interface being exposed?

uiiiq@lemm.ee · 1 day ago

Without paywall: https://www.removepaywall.com/search?url=https%3A%2F%2Fwww.wired.com%2Fstory%2Frussia-signal-qr-code-phishing-attack%2F

latenightnoir@lemmy.world · 1 day ago

Back to pen and paper it is! Start feeding the pigeons, everyone!

einkorn@feddit.org · 1 day ago

Obligatory link to IPoAC

absGeekNZ@lemmy.nz · 1 day ago

With 1.5TB capacity micro sd cards available, a pigeon could probably deliver 12-18TB.

latenightnoir@lemmy.world · edit-2 1 day ago

This is the way.

Edit: can we also give’em tiny cyberpunk shades and stuff?

chaosCruiser@futurology.today · 1 day ago

Message in a bottle is the way to go.

If hackers don’t know where the bottle is floating, they can’t read the message. It’s also completely disconnected from the Internet, further enhancing the already robust security. This protocol also supports all encryption methods you can fit inside the bottle. There’s no central authority, no servers, no licenses, and no EULAs to accept without reading.

The only bottlenecks are bandwidth, packet loss, and the physical dimensions of the glass container.

AutistoMephisto@lemmy.world · edit-2 22 hours ago

For the landlocked, may I recommend the Dead Drop Protocol? Leave the message in a place that everyone knows about, but only the intended recipients knows a message is there to be read. Like the Message in a Bottle, it supports all encryption methods and is disconnected from the Internet.

There are a couple drawbacks, though. For one, unless you are watching the drop point, you have no way of knowing whether your message made it to the intended recipient or if it was intercepted. Vice versa, if you are the intended recipient of a dropped message, the only guarantee you have that the message is authentic is if the message uses a self-authenticating encryption method. Also, there is a potential that any drop point you use may be under surveillance, so make sure to not use the same drop point too often.

JoshCodes@programming.dev · 1 day ago

Reliance on security by obscurity is unacceptable, except when the obscurity method is the oceans entire fucking surface area.

Fantabread@lemm.ee · 1 day ago

And the actual neck of the bottle.