Russia-aligned hackers are targeting Signal users with device-linking QR codes

Submitted ⁨⁨1⁩ ⁨week⁩ ago⁩ by ⁨solo@slrpnk.net⁩ to ⁨technology@lemmy.world⁩

https://arstechnica.com/information-technology/2025/02/russia-aligned-hackers-are-targeting-signal-users-with-device-linking-qr-codes/

Swapping QR codes in group invites and artillery targeting are latest ploys.

source

Comments

Sort:hotnew top

TheHobbyist@lemmy.zip ⁨1⁩ ⁨week⁩ ago
It seems Signal has already pushed out a fix for this, which was abusing the QR codes to actually link a device when it was presenting itself as a way to join a group.

Paywalled: wired.com/…/russia-signal-qr-code-phishing-attack…

source
- notabot@lemm.ee ⁨1⁩ ⁨week⁩ ago
  What I find particularly concerning is that the were able to “hide javascript commands that link the victim’s phone to a new device” in the payload of a qr-code. I can’t see any valid use for javascript in the group joining process, I would expect the code to just be a signal URI with the relevant group ID, so is there sone external javascript interface being exposed?
  
  source
- uiiiq@lemm.ee ⁨1⁩ ⁨week⁩ ago
  Without paywall: www.removepaywall.com/search?url=https%3A%2F%2Fww…
  
  source
latenightnoir@lemmy.world ⁨1⁩ ⁨week⁩ ago
Back to pen and paper it is! Start feeding the pigeons, everyone!

source
- einkorn@feddit.org ⁨1⁩ ⁨week⁩ ago
  Obligatory link to IPoAC
  
  source
  - absGeekNZ@lemmy.nz ⁨1⁩ ⁨week⁩ ago
    With 1.5TB capacity micro sd cards available, a pigeon could probably deliver 12-18TB.
    
    source
    -> View More Comments
- chaosCruiser@futurology.today ⁨1⁩ ⁨week⁩ ago
  Message in a bottle is the way to go.
  
  If hackers don’t know where the bottle is floating, they can’t read the message. It’s also completely disconnected from the Internet, further enhancing the already robust security. This protocol also supports all encryption methods you can fit inside the bottle. There’s no central authority, no servers, no licenses, and no EULAs to accept without reading.
  
  The only bottlenecks are bandwidth, packet loss, and the physical dimensions of the glass container.
  
  source
  - joshcodes@programming.dev ⁨1⁩ ⁨week⁩ ago
    Reliance on security by obscurity is unacceptable, except when the obscurity method is the oceans entire fucking surface area.
    
    source
  - Fantabread@lemm.ee ⁨1⁩ ⁨week⁩ ago
    And the actual neck of the bottle.
    
    source
  - southsamurai@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
    You forgot one bottleneck. The bottleneck.
    
    source
  - AutistoMephisto@lemmy.world ⁨1⁩ ⁨week⁩ ago
    For the landlocked, may I recommend the Dead Drop Protocol? Leave the message in a place that everyone knows about, but only the intended recipients knows a message is there to be read. Like the Message in a Bottle, it supports all encryption methods and is disconnected from the Internet.
    
    source