{"vulnerability": "cve-2018-10994", "sightings": [{"uuid": "61ea7800-e662-4364-b48e-f57b5cf14991", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2018-10994", "type": "seen", "source": "https://t.me/thesammymove/5005", "content": "IS THE SIGNAL APP SAFE?\ud83e\udd14\n\n- THE MOST CRITICAL REVIEW YET\ud83e\udd14\nby @thesammymove \n#TSMinform \n\n- After the recent change in Whatsapp's policy,millions have been moving to the app.\nBut is this app truly safe?\ud83e\udd14\n\nA SHORT HISTORY OF THE APP\ud83d\udccc\n1. First\u00a0iOS\u00a0app\u00a0to enable free end-to-end\u00a0encrypted\u00a0voice calls.\n2. Non profit organisation.\n3. CEO- Moxie Marlinspike: founder of whisper systems,an encryption system WHATSAPP USES.\n4. FBI was unable to access information on the app.\n5. Used by millions during HONG KONG protests;Introduced face blurring feature during the protest.\n6. So secure that it doesn't link your phone number to your identity on the app.\n7. Formed from merge of the\n\"TEXT SECURE\" & \" RED PHONE\" companies.\n8. Created 2014 in CA,USA.\n\nHISTORY OF SIGNAL APP\n VULNERABILITIES\ud83d\udccc\n\ud83d\udca1Grey hats hackers exploit networks and computer systems disclosing all loopholes and vulnerabilities to law enforcement agencies,developers or intelligence agencies.\n\ud83d\udca1A vulnerability\u00a0is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system.\n-Apps do have/have had vulnerabilities before.\n\ud83d\udca1SIGNAL APP'S OPEN SOURCE CODE ALLOWS INDEPENDENT GREY HAT HACKERS TO EXPLOIT THE APP IN ORDER TO FIND VULNERABILITIES WHICH ARE FIXED.\n\nLIST OF PAST VULNERABILITIES(7)\nDecember 2020\ud83d\udea8\n\ud83d\udd0eIsraeli Spy Tech Firm Says It Can Break Into Signal App. Though signal declared this as false,\nclick to read more \ud83d\udc48\nMay 2020\ud83d\udea8\n\ud83d\udd0eResearcher David Wells found that he could track a user\u2019s movements just by calling their Signal number \u2014 whether or not the user had his contact information.\nOctober 2019\ud83d\udea8\n\ud83d\udd0eNatalie Silvanovich, a security engineer who is part of Google\u2019s vulnerability research team at Project Zero, has disclosed how a bug in the Android Signal client could let an attacker spy on a user without their knowledge\nOctober 2018\ud83d\udea8\n\ud83d\udd0eAnother severe flaw in Signal desktop app lets hackers steal your chats in plaintext\n-Discovered on Monday by the same team of security researchers, the newly discovered vulnerability poses the same threat as the previous one, allowing remote attackers to inject malicious code on the recipients' Signal desktop app just by sending them a message\u2014without requiring any user interaction.\nMay 2018\ud83d\udea8\n\ud83d\udd0eOn 16 May the same researchers revealed another, related, XSS bug:\nOpen Whisper Signal (aka Signal-Desktop) through 1.10.1 allows XSS via a resource location specified in an attribute of a SCRIPT, IFRAME, or IMG element, leading to JavaScript execution after a reply, a different vulnerability than CVE-2018-10994. The attacker needs to send HTML code directly as a message, and then reply to that message to trigger this vulnerability.\nMay 9,2018\ud83d\udea8\n\ud83d\udd0eSelf-destructing messages received on 'Signal for Mac' can be recovered later.\n-Security researcher Alec Muffett noticed that the messages that are supposed to be \"disappearing\" can still be seen\u2014even if they are deleted from the app.\n- Another security researcher Patrick Wardle reproduced the issue.\n\ud83d\udea8April 2018\nThe Open Whisper Signal app before 2.23.2 for iOS allows physically proximate attackers to bypass the screen locker feature via certain rapid sequences of actions that include app opening, clicking on cancel, and using the home button.\n\nOUR SECURITY ANALYSIS.\ud83d\udccc\n-Signal's voice and video calling functionalities use the app's Signal Protocol channel for authentication instead of ZRTP.\n-All client-server communications are protected by\u00a0TLS.[Signal's developers have asserted that their servers do not keep logs about who called whom and when.\n-Signal messages are encrypted with the Signal Protocol,which combines the\u00a0Double Ratchet Algorithm, prekeys, and an Extended Triple\u00a0Diffie\u2013Hellman\u00a0(X3DH) handshake.It uses\u00a0Curve25519,\u00a0AES-256 and\u00a0HMAC-SHA256\u00a0as\u00a0primitives.\n\nOUR CONCLUSION? \ud83d\udccc\nComparative to WHATSAPP, SIGNAL IS SAFER AND HAS PROVEN THEIR PRIVACY AND SECURITY INTEGRITY.\u2705\n\n\nRead also,\n-DEPOSIT N50 TO GET N550 trick\nt.me/thesammymove/1514 \ud83d\udc48\n\n- FREE N1,000 TRICK \nt.me/thesammymove/999 \ud83d\udc48\n\n#Signal #cybersecurity", "creation_timestamp": "2021-01-17T01:25:43.000000Z"}, {"uuid": "6003e216-a0ba-42f6-8c3d-6cc90f8a7229", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2018-10994", "type": "seen", "source": "https://t.me/thesammymove/1546", "content": "IS THE SIGNAL APP SAFE?\ud83e\udd14\n\n- THE MOST CRITICAL REVIEW YET\ud83e\udd14\nby @thesammymove \n#TSMinform \n\n- After the recent change in Whatsapp's policy,millions have been moving to the app.\nBut is this app truly safe?\ud83e\udd14\n\nA SHORT HISTORY OF THE APP\ud83d\udccc\n1. First\u00a0iOS\u00a0app\u00a0to enable free end-to-end\u00a0encrypted\u00a0voice calls.\n2. Non profit organisation.\n3. CEO- Moxie Marlinspike: founder of whisper systems,an encryption system WHATSAPP USES.\n4. FBI was unable to access information on the app.\n5. Used by millions during HONG KONG protests;Introduced face blurring feature during the protest.\n6. So secure that it doesn't link your phone number to your identity on the app.\n7. Formed from merge of the\n\"TEXT SECURE\" & \" RED PHONE\" companies.\n8. Created 2014 in CA,USA.\n\nHISTORY OF SIGNAL APP\n VULNERABILITIES\ud83d\udccc\n\ud83d\udca1Grey hats hackers exploit networks and computer systems disclosing all loopholes and vulnerabilities to law enforcement agencies,developers or intelligence agencies.\n\ud83d\udca1A vulnerability\u00a0is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system.\n-Apps do have/have had vulnerabilities before.\n\ud83d\udca1SIGNAL APP'S OPEN SOURCE CODE ALLOWS INDEPENDENT GREY HATS TO EXPLOIT THE APP IN ORDER TO FIND VULNERABILITIES WHICH ARE FIXED.\n\nLIST OF PAST VULNERABILITIES(7)\nDecember 2020\ud83d\udea8\n\ud83d\udd0eIsraeli Spy Tech Firm Says It Can Break Into Signal App. Though signal declared this FALSE\nclick to read more \ud83d\udc48\nMay 2020\ud83d\udea8\n\ud83d\udd0eResearcher David Wells found that he could track a user\u2019s movements just by calling their Signal number \u2014 whether or not the user had his contact information.\nOctober 2019\ud83d\udea8\n\ud83d\udd0eNatalie Silvanovich, a security engineer who is part of Google\u2019s vulnerability research team at Project Zero, has disclosed how a bug in the Android Signal client could let an attacker spy on a user without their knowledge\nOctober 2018\ud83d\udea8\n\ud83d\udd0eAnother severe flaw in Signal desktop app lets hackers steal your chats in plaintext\n-Discovered on Monday by the same team of security researchers, the discovered vulnerability poses the same threat as the previous one, allowing remote attackers to inject malicious code on the recipients' Signal desktop app just by sending them a message\u2014without requiring any user interaction.\nMay 2018\ud83d\udea8\n\ud83d\udd0eOn 16 May the same researchers revealed another, related, XSS bug:\nOpen Whisper Signal (aka Signal-Desktop) through 1.10.1 allows XSS via a resource location specified in an attribute of a SCRIPT, IFRAME, or IMG element, leading to JavaScript execution after a reply, a different vulnerability than CVE-2018-10994. The attacker needs to send HTML code directly as a message, and then reply to that message to trigger this vulnerability.\nMay 9,2018\ud83d\udea8\n\ud83d\udd0eSelf-destructing messages received on 'Signal for Mac' can be recovered later.\n-Security researcher Alec Muffett noticed that the messages that are supposed to be \"disappearing\" can still be seen\u2014even if they are deleted from the app.\n- Another security researcher Patrick Wardle reproduced the issue.\n\ud83d\udea8April 2018\nThe Open Whisper Signal app before 2.23.2 for iOS allows physically proximate attackers to bypass the screen locker feature via certain rapid sequences of actions that include app opening, clicking on cancel, and using the home button.\n\nOUR SECURITY ANALYSIS.\ud83d\udccc\n-Signal's voice and video calling functionalities use the app's Signal Protocol channel for authentication instead of ZRTP.\n-All client-server communications are protected by\u00a0TLS.[Signal's developers have asserted that their servers do not keep logs about who called whom and when.\n-Signal messages are encrypted with the Signal Protocol,which combines the\u00a0Double Ratchet Algorithm, prekeys, and an Extended Triple\u00a0Diffie\u2013Hellman\u00a0(X3DH) handshake.It uses\u00a0Curve25519,\u00a0AES-256 and\u00a0HMAC-SHA256\u00a0as\u00a0primitives.\n\nOUR CONCLUSION? \ud83d\udccc\nComparative to WHATSAPP, SIGNAL IS SAFER AND HAS PROVEN THEIR PRIVACY AND SECURITY INTEGRITY.\u2705\n\nRead also\ud83d\udea8\n-DEPOSIT N50 TO GET N550 trick\ud83d\udc47\nt.me/thesammymove/1514\n\n-EARN FREE CRYPTO,AIRTIME,DATA CASH\ud83d\udc47\nt.me/thesammymove/1692\n\n- FREE N1,000 TRICK \ud83d\udc47\nt.me/thesammymove/999\n\n#Signal #cybersecurity", "creation_timestamp": "2021-04-24T03:32:28.000000Z"}]}