Cybersecurity Advisory. Phishing via messaging apps Signal and WhatsApp

I will at my two cents here:

Attack method one: At this point I don’t think Signal can do much more against such attacks. These are so standard and easy recognizable. There are two “Signal Service” Channels one called “Note to self” the other “Signal” and both have a fat blue tick next to each other. That only official Signal channels are able to have. Besides the fact that it is easily spotted which channel/contact belongs to the actual Signal service and which one if fake, no service in the history of tech ever tried to us for credentials in its own chat.

If people still fall for this exact attack it is a lack of critical thinking and education.

Attack method two: And here we are with bad design choices. The all known QR-codes. The problem with this QR-codes is that they are not only used for login in or login in into a different device.

For example, I can send you my Signal username/Signal user link via an QR-code instead of the username or link. This is an official-supported feature of signal. Now if someone wants to add me they need/can scan this QR-code with signal itself.

If I now send instead of the QR-code from my username the QR-code of a new device login, a potential victim will fall for this pretty easily.