Signal has recently addressed a serious vulnerability that would be worrisome for users. A zero-day bug in Signal would send wrong or unintended images to contacts together with the intended ones. Signal has since patched the flaw.
Signal Zero-Day Sending Wrong Images
Reportedly, Signal Android app had developed a weird zero-day bug that would send wrong images to contacts.
The vulnerability first caught the attention of Rob Connolly who highlighted the matter on Signal’s GitHub page. Conolly even shared the steps to reproduce when reporting the flaw in December 2020.
Describing the bug, Conolly wrote,
Standard conversation between two users (let’s call them party A and party B). Party A shares a gif (from built-in gif search). Party B receives the gif, but also some other images, which appear to be from another user (party A has searched their phone and does not remember the images in question). Best case the images are from another contact of B and messages got crossed, worst case they are from an unknown party, who’s [sic] data has now been leaked.
Since then, numerous other users have also highlighted the same issue, with Christopher M. Hobbs even mentioning using “Note to self” to avoid the bug.
Signal Patched The Flaw
Despite being known for months, Signal has fixed the bug only recently.
While the team faced a backlash over this delay, Greyson Parrelli, Signal’s Android developer confirmed fixing the bug recently. As per his response on the same GitHub thread, Signal has patched the vulnerability with the release of the Signal Android app version 5.17.
Explaining the matter, he stated,
For some background, this bug came about as a rare intersection of some database properties and a separate bug. The TL;DR is that if someone had conversation trimming on, it could create a rare situation where a database ID was re-used in a way that could result in this behavior. It was very difficult to track down, with earlier phases involving getting additional logging into builds. Once we had some more information, it did in fact become our top priority, a fix was made, and we got it out as quickly and as safely as possible. The fix itself should make it so that database issues like the one that caused this bug can’t happen again.
Since the fix is out, all Android users must ensure updating their Signal app to the latest version to avoid any mishap.