The bug that affected the Signal messaging application allowed attackers to automatically answer a call by pressing the Mute button.
Signal corrected a bug that could have allowed attackers to listen to the victims by automatically answering a call immediately, without the permission of the called party. This bug is reminiscent of the Apple FaceTime bug discovered in January, which also allowed attackers to listen to iPhone users using the same principle.
This time, the bug only works through Signal audio calls, not video, because the Signal application asks users to manually enable camera access in all calls. Only the Signal application on Android is impacted.
“The iOS client has a similar logical problem, but the call can not be made due to an error in thesaid Natalie Silvanovich , the researcher who discovered the problem. But on Android, Silvanovich said an attacker could use a modified version of the Signal app to make a call, and then press their own Mute button to approve the current call on the called party’s side.
Signal is an application known for its security
The bug occurs at the “ringing” stage of a call. Attackers can quickly press the Mute button and avoid a long ring that could alert the victims. “Even if the call is answered quickly, users would see a visible indication that a call was in progress,” a Signal spokesperson told ZDNet. “There would also always be a record of the completed call at the top of your chat list.”
The Signal application supports end-to-end encrypted communications and is a favorite among journalists, politicians, dissidents, business people, security researchers and many other prominent figures. Being able to spy on any of these characters could be an advantage for many pirates. A spokesman for Signal said the bug was fixed in version 4.47.7, released last week, the same day Silvanovich reported it.