- cross-posted to:
- arstechnica_index@rss.ponder.cat
- cross-posted to:
- arstechnica_index@rss.ponder.cat
Swapping QR codes in group invites and artillery targeting are latest ploys.
Swapping QR codes in group invites and artillery targeting are latest ploys.
It seems Signal has already pushed out a fix for this, which was abusing the QR codes to actually link a device when it was presenting itself as a way to join a group.
Paywalled: https://www.wired.com/story/russia-signal-qr-code-phishing-attack/
What I find particularly concerning is that the were able to “hide javascript commands that link the victim’s phone to a new device” in the payload of a qr-code. I can’t see any valid use for javascript in the group joining process, I would expect the code to just be a signal URI with the relevant group ID, so is there sone external javascript interface being exposed?
Without paywall: https://www.removepaywall.com/search?url=https%3A%2F%2Fwww.wired.com%2Fstory%2Frussia-signal-qr-code-phishing-attack%2F