4 comments

[ 2.9 ms ] story [ 18.8 ms ] thread
Full Title: "Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers"
This has been making the rounds in privacy-focused forums and whatnot and still no comment from the foundation. That doesn't inspire a lot of confidence in the Signal Foundation. If nothing else, I would expect that sending delivery receipts to invalid messages be considered a bug to fix, even if sending delivery receipts in general would be intentional.
An attacker with a privileged position on the network allowing them to eavesdrop (but not decrypt) traffic could use a bug like this to identify the device on the network associated with a phone number in Signal. Given nation state level adversaries, that seems like a significant privacy issue to me.