Signal fixes location-revealing flaw, introduces Signal PINs

2020-05-21 12:02

The non profit organization has also announced on Tuesday a new mechanism - Signal PINs - that will, eventually, allow users not to use their phone number as their user ID. About the vulnerability.

While the DNS server information cannot tell the caller where exactly the callee is located as it offers just coarse location data, according to Wells, "In instances such as Google Public DNS and others, this attack can narrow the location down to the Signal user's city due to usage of EDNS Client Subnet."

Luckily, Signal has already pushed out updated versions of Signal for Android and iOS that fix the problem, so users can update their apps immediately.

The data will be encrypted and saved on Signal's servers, but won't be accessible to Signal because they don't know the users' PIN. It's also important to point out that the saved data does not include Signal conversations.

Signal PINs can also serve as an optional "Registration lock" - an additional protection against Signal account hijacking.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/XXZacN4DLKQ/

#signal

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Signal		3	1	7	5	1	14