1,900 Signal Users' Phone Numbers Exposed By Twilio Phishing (arstechnica.com) 8
An anonymous reader quotes a report from Ars Technica: A successful phishing attack at SMS services company Twilio may have exposed the phone numbers of roughly 1,900 users of the secure messaging app Signal -- but that's about the extent of the breach, says Signal, noting that no further user data could be accessed. In a Twitter thread and support document, Signal states that a recent successful (and deeply resourced) phishing attack on Twilio allowed access to the phone numbers linked with 1,900 users. That's "a very small percentage of Signal's total users," Signal writes, and all 1,900 affected users will be notified (via SMS) to re-register their devices. Signal, like many app companies, uses Twilio to send SMS verification codes to users registering their Signal app.
With momentary access to Twilio's customer support console, attackers could have potentially used the verification codes sent by Twilio to activate Signal on another device and thereby send or receive new Signal messages. Or an attacker could confirm that these 1,900 phone numbers were actually registered to Signal devices. No other data could be accessed, in large part because of Signal's design. Message history is stored entirely on user devices. Contact and block lists, profile details, and other user data require a Signal PIN to access. And Signal is asking users to enable registration lock, which prevents Signal access on new devices until the user's PIN is correctly entered. "The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against," Signal's support document reads. The messaging app notes that while Signal doesn't "have the ability to directly fix the issues affecting the telecom ecosystem," it will work with Twilio and other providers "to tighten up their security where it matters for our users."
With momentary access to Twilio's customer support console, attackers could have potentially used the verification codes sent by Twilio to activate Signal on another device and thereby send or receive new Signal messages. Or an attacker could confirm that these 1,900 phone numbers were actually registered to Signal devices. No other data could be accessed, in large part because of Signal's design. Message history is stored entirely on user devices. Contact and block lists, profile details, and other user data require a Signal PIN to access. And Signal is asking users to enable registration lock, which prevents Signal access on new devices until the user's PIN is correctly entered. "The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against," Signal's support document reads. The messaging app notes that while Signal doesn't "have the ability to directly fix the issues affecting the telecom ecosystem," it will work with Twilio and other providers "to tighten up their security where it matters for our users."
SMS (Score:2)
Signal, like many app companies, uses Twilio to send SMS verification codes to users registering their Signal app.
I thought that SMS is rather insecure? It would feel to me like this is a giant flashing signal (pun intended) pointing at a user who does not want to stand out, especially in countries where you must hide your communications for the government.
Re: (Score:2)
Yes. This is why you shouldn't use Signal. The Signal company insists you use SMS to create an account. It's not necessary, and they don't interoperate with other clients that don't do it.
This was inevitable.
Re:SMS (Score:5, Informative)
That isn't 100% correct. Signal requires a phone number to register, but you can have it voice call you instead of sending an SMS message for the initial verification.
After the initial registration, you can install the desktop client, link the two, and not use the phone version if you want.
Re: (Score:3)
That's missing the points.
1. You have to give them a phone number which becomes attached to your Signal identity. It can get hacked, as in this case, putting your Signal account at risk since now whoever has it can use it for account recovery. It also also have exposed your identity to them, e.g. when combined with out data leaks like the recent AT&T hack.
2. The Signal app requires a huge number of permissions and tries to do everything, like replacing your SMS client. All that does is increase the atta
Re: (Score:3)
No, it was addressing the one factually incorrect statement you originally made.
1. Yes, Signal is associate with a phone number. In December of 2019 Signal introduced Signal PINs [signal.org] to address the risk of account takeover/recovery via the phone. They also introduced Registration Lock as a compensating control.
2. Yes, Signal tries to be a full-fledged text client, including the option to replace a stock SMS client. Permissions are documented here [signal.org], and it'll work just fine if you disable most of them.
Don't want
Re: (Score:2)
This is only for initial account registration on setup, and you can choose to receive a voice call instead of an SMS message.
Oh (Score:1)
Oh please, Signal devs, lecture me again on why you can't have a username and password instead of a phone number?