elefant @elefant

Recent searches

Search options

Only available when logged in.

@Avitus · Jan 22 *

@makdaam @rysiek CloudFlare already fixed the issue and Signal provided a statement to the bug bounty hunter, which 404 Media published: https://www.404media.co/cloudflare-issue-can-leak-chat-app-users-broad-location/

404 Media · Jan 21Cloudflare Issue Can Leak Chat App Users' Broad LocationA security researcher made a tool that let them quickly check which of Cloudflare's data centers had cached an image, which allowed them to figure out what city a Discord, Signal, or Twitter/X user might be in.

**Michał "rysiek" Woźniak ·** @rysiek@mstdn.social · Jan 22

Jan 22

Michał "rysiek" Woźniak · @rysiek@mstdn.social

@Avitus @makdaam Cloudflare fixed *an* issue that allowed the researcher to more easily target individual datacenters.

*The* issue is not "fixed", as that is still possible by using a VPN and cycling through exit locations, or by using one's own nodes in these locations, etc.

Signal's statement is behind a loginwall.

**Cassandra Granade** @xgranade@wandering.shop · Jan 22

Jan 22

Cassandra Granade @xgranade@wandering.shop

@rysiek @Avitus @makdaam IIRC, 404 uses a loginwall to prevent AI scraping, for the most part. Anyway, Signal's alleged statement from the article:

404 Media first asked Signal for comment in early December. The organization did not provide a statement in time for publication, but daniel shared their response to his bug report.

“What you're describing (observing cache hits and misses) is a generic property of how Content Distribution Networks function. Signal's use of CDNs is neither unique nor alarming, and also doesn't impact Signal's end-to-end encryption. CDNs are utilized by every popular application and website on the internet, and they are essential for high-performance and reliability while serving a global audience,” Signal’s security team wrote.

“There is already a large body of existing work that explores this topic in detail, but if someone needs to completely obscure their network location (especially at a level as coarse and imprecise as the example that appears in your video) a VPN is absolutely necessary. That functionality falls outside of Signal's scope. Signal protects the privacy of your messages and calls, but it has never attempted to fully replicate the set of network-layer anonymity features that projects like Wireguard, Tor, and other open-source VPN software can provide,” it added.

**Michał "rysiek" Woźniak ·** @rysiek@mstdn.social · Jan 22

Jan 22

Michał "rysiek" Woźniak · @rysiek@mstdn.social

@xgranade @Avitus @makdaam that's the statement from the gist. I'd like a statement directly from Signal somewhere.

@Avitus@ioc.exchange

@rysiek @xgranade @makdaam Signal made a direct statement to the bug bounty hunter, which was provided to 404 Media and published. So the statement given to the bug bounty hunter is the statement from Signal.

Jan 26, 2025, 06:31 PM·

0boosts·0favorites

**Michał "rysiek" Woźniak ·** @rysiek@mstdn.social · Jan 26

Jan 26

Michał "rysiek" Woźniak · @rysiek@mstdn.social

@Avitus @xgranade @makdaam I would still like to hear more directly from Signal, not via the bounty hunter.

Drag & drop to upload

Recent searches

Search options

Administered by:

Server stats:

Recent searches

Search options

Administered by:

Server stats:

Back