Vulnerability in Signal messaging app lets hackers track your location
A security research firm has found a vulnerability in the secure messaging app Signal could let potential hackers track a user’s location. The finding assumes significance because Signal prides itself for privacy and just yesterday it announced it will be shifting to a unique identifier instead of mobile number to stop anybody from identifying or locating any Signal user.
Researcher David Wells from Tenable found that he could track any Signal users’ movements just by calling their Signal number. The funny thing is that he did not require the user to have his contact information. This vulnerability if exploited in the wild could cause problems for Signal users like stalking or spying on activists and journalists. It is mostly journalists and activists who try to avoid government or law enforcement agencies, use the Signal messaging App.
There are two aspects to the vulnerability, Wells said. One is that if two Signal users have each other as contacts, it’s possible for them to determine each other’s location and IP address by calling, even if the person being called doesn’t answer the phone.
That feature is not well advertised, and it’s interesting that someone could disclose your location if they’re your contact. That’s kind of odd. It turns out that even if you don’t have a person in your contacts list, they can still roughly determine your rough location just by calling you on Signal. This works even if you don’t pick up or see the call. Let’s say I have a burner phone and I just ring your phone, and I do it so quickly that all you see is a missed call from some number. It turns out that’s enough for the caller to see what DNS server your phone automatically connects to. Usually, it’ll be somewhat near you. So I can force that DNS server [near you]to talk to me. By getting that information, I know what DNS server you’re using and I can determine your general location.
Wells has detailed his findings on the Medium post which you can find here. He has also informed Signal about the vulnerability. Signal has already released a patch for the vulnerability via Github. However, both its iOS and Android Apps on the play store are yet to be updated.