Researchers have identified a critical vulnerability in popular privacy-centric messaging app Signal, affecting millions of iOS and Android users.
Discovered by security firm Tenable, the bug could allow hackers to gain access to users’ coarse location data and map out patterns of movement – such as time-periods during which a user is likely to be at home, work, or their favorite local haunt.
To execute an attack, the hacker need only use Signal to call another user, whose location could be compromised whether or not the call is answered.
The bug was introduced with Signal v4.59.0 on Android, while iOS users of any version since v188.8.131.52 could be at risk.
The Signal messaging app features end-to-end encryption for both calls and text messages, attracting millions of privacy-conscious users every day across Android and iOS. Even infamous whistleblower and champion of data privacy Edward Snowden claims to “use Signal every day.”
However, according to an advisory published by Tenable, the app is not as watertight from a privacy perspective as its users might expect.
The newly discovered flaw can be used to leak information about a user’s DNS, which can in turn reveal coarse location data and allow the hacker to identify the victim’s location within a 400 mile radius.
While this might appear inconsequential to most, using coarse location data in conjunction with DNS server pings from different networks (domestic Wi-Fi, public hotspots, 4G connections etc.) could be used by the hacker to make more precise location assumptions.
Signal was quick to issue a patch for the vulnerability via GitHub, which Tenable commends in its advisory. However, the security firm believes the patch requires technical expertise beyond the abilities of most users, meaning hackers could abuse the flaw freely until a patch is made available on the Apple App Store and Google Play Store.
In the interim, Tenable recommends Signal users install a VPN service that offers a DNS tunnel, which can hinder an attacker’s ability to exploit the flaw.
Signal did not immediately respond to our request for comment.