All software has bugs. But there's an extra sting when that software is something you use to communicate securely.
On Friday, a researcher at Google's elite vulnerability hunting team Project Zero published details about an issue in the Android version of Signal. The bug allowed a hacker to phone a target device, and the call would be answered without the recipient needing to even accept the call, essentially letting the hacker listen-in on the victim.
"When the call is ringing, the audio mute button can be pressed to force the callee device to connect, and audio from the callee device will be audible," Natalie Silvanovich, a security engineer at Project Zero, wrote in a September bug report which was made public today.
The issue requires a hacker to build and then use a custom version of the Signal Android software, swapping out one section of the code for another, the report shows.
Know of any other software vulnerabilities? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
The bug could have impacted the iOS version of Signal too, if it wasn't for a bug in the user interface, Silvanovich wrote.
"I would recommend improving the logic in both clients, as it is possible the UI problem doesn't occur in all situations," Silvanovich added in her report.
The issue was fixed Friday, Silvanovich wrote.
The bug is somewhat reminiscent of a recent issue with Apple's FaceTime, in which an attacker could switch on the microphone of a target device by adding themselves to a FaceTime group call.
Open Whisper Systems said the issue was fixed the same day it was reported, and that normal indications of a call would be present to the target, such as the phone ringing or vibrating, as well as a log of the call.
Update: This piece has been updated with information from Open Whisper Systems.
Subscribe to our cybersecurity podcast, CYBER.