Signal Patched Critical Flaw That Allowed Hackers To Answer Calls On User's Behalf

No software is perfect. Time will uncover vulnerabilities, and it's the developers' responsibility to quickly patch any issue before widespread damage.

This includes what had happened to Signal, the popular encrypted messaging app. It has fixed a crucial flaw in its Android app that could’ve allowed bad actors to answer calls on user's behalf. What’s more, exploiting the bug could've allowed hackers to intervene without any of the victims' knowledge.

The flaw was first discovered by Google's Project Zero team on September 28th.

According to the team at Project Zero, there was a "logic error" in the Signal app that can cause an incoming call to be answered even if the callee does not pick it up. In this case, Signal's Android app had a flaw in its handleCallConnected that caused calls to finish connecting.

During normal use, it is called in two situations: when callee device accepts the call when the user selects 'accept', and when the caller device receives an incoming 'connect' message indicating that the callee has accepted the call.

By modifying the client, the team said that "it is possible to send the 'connect' message to a callee device when an incoming call is in progress, but has not yet been accepted by the user. "

"This caused the call to be answered, even though the user has not interacted with the device.'

While Android users were affected, iOS users can also experience the same problem, because a similar logical problem was present. However, Signal on iOS cannot complete a call due to an error in the UI caused by the unexpected sequence of states.

In other words, the error in the user interface prevented the call from being completed. As it stands, the flaw can’t be exploited on iOS.

But still, it was possible that the UI "problem doesn’t occur in all situations."

Signal - Chairman Meow

This particular bug is somewhat similar to that FaceTime flaw that was discovered earlier this 2019.

The bug in question allowed users to eavesdrop on others, before a call was answered. Both bugs involved tricking the software into thinking that a call has been accepted when they haven’t. But unlike the FaceTime bug, the Signal bug was limited to audio calls only because Signal requires users to manually enable video.

The people at Google's Project Zero reported the the disclosure deadline was 90 days after it was first published.

Per any such reporting of a bug of this caliber, it’s standard protocol to report directly to the people who develop the app in the first place, then a waiting period abided by before disclosure to the public.

"This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public."

In Signal's case, this time period allowed the developers of the app to fix the bug before it was made a common knowledge.

Signal has patched the issue in its update of the app (version 4.47.7).