This has been making the rounds in privacy-focused forums and whatnot and still no comment from the foundation. That doesn't inspire a lot of confidence in the Signal Foundation. If nothing else, I would expect that sending delivery receipts to invalid messages be considered a bug to fix, even if sending delivery receipts in general would be intentional.
An attacker with a privileged position on the network allowing them to eavesdrop (but not decrypt) traffic could use a bug like this to identify the device on the network associated with a phone number in Signal. Given nation state level adversaries, that seems like a significant privacy issue to me.
Related reading. Might be of interest while on this topic.
[1] https://www.pressherald.com/2024/02/29/the-fbis-new-tactic-c...
This has been making the rounds in privacy-focused forums and whatnot and still no comment from the foundation. That doesn't inspire a lot of confidence in the Signal Foundation. If nothing else, I would expect that sending delivery receipts to invalid messages be considered a bug to fix, even if sending delivery receipts in general would be intentional.
An attacker with a privileged position on the network allowing them to eavesdrop (but not decrypt) traffic could use a bug like this to identify the device on the network associated with a phone number in Signal. Given nation state level adversaries, that seems like a significant privacy issue to me.
Full Title: "Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers"