Signal Rushes to Patch Serious Eavesdropping Vulnerability
A security flaw in the privacy-focused encrypted messaging service Signal could enable a threat actor to listen to the audio stream recorded by the Android device of another Signal user, without their knowledge.
The vulnerability, tracked as CVE-2019-17191, closely resembles a FaceTime flaw that was discovered earlier this year. Attackers could exploit the issue by using a custom Signal client to launch an audio call to a Signal user. The attacker can force the victim’s device to answer the call by pressing the mute function as soon as the victim’s phone starts ringing. The attack does not work with Signal video calls. The issue was discovered last month by a researcher with Google Project Zero. Signal has already released a patch.