Yeah, this sensational as a headline. It’s a clever idea that is not simple, requires an already compromised device and user, and won’t work except very specific conditions.
““compromised device”” in this scenario is any device with a chat app installed, push notifications on, and the chat service uses Cloudflare CDN. This is a very common setup, Discord and Signal were mentioned as examples. Many others are vulnerable for the same thing. With read receipts on the chat platform (like Signal), no push notifications are required.
The headline is sensationalist, but it isn’t something to be ignored. Especially for more privacy focused platforms like Signal, even leaking the country someone is in can be considered a risk. That’s effectively what this attack allows.
It doesn’t require them to have a compromised device. If they have Signal, or something similar, you just need to message them with an image attachment, then get to work checking where that image got cached.
No content blockers (lots have CDN bypass as a feature for this exact reason)
Any of these being different would not make this possible for a number of reasons. The author is talking about journalists and security minded people being at risk, but it’s hard to imagine anyone going above the defaults to protect would be at much risk if they didn’t take one or two of these steps as protection.
I assume from your comment you’re thinking “compromised device” to mean attacked, and those are synonymous. It’s just a phone with no protections.
Yes, which is a compromised device. A Windows machine without any antivirus or malware protection is a compromised device, for example.
Read the back half of this writeup and realize the target audience should be people with basic security steps taken. No journalist going out of their way to talk to whistleblowers is going to have a default settings phone, or any phone on them at all for that matter I would expect.
Windows machines have default antivirus. I would not expect disabling push notifications to be a basic security measure. Pretty much everyone has push notifications, including the target audience. A lot of them also don’t take a device-wide VPN because they expect only websites to track them.
Yeah, this sensational as a headline. It’s a clever idea that is not simple, requires an already compromised device and user, and won’t work except very specific conditions.
““compromised device”” in this scenario is any device with a chat app installed, push notifications on, and the chat service uses Cloudflare CDN. This is a very common setup, Discord and Signal were mentioned as examples. Many others are vulnerable for the same thing. With read receipts on the chat platform (like Signal), no push notifications are required.
The headline is sensationalist, but it isn’t something to be ignored. Especially for more privacy focused platforms like Signal, even leaking the country someone is in can be considered a risk. That’s effectively what this attack allows.
Already addressed in a different comment, but yes.
It doesn’t require them to have a compromised device. If they have Signal, or something similar, you just need to message them with an image attachment, then get to work checking where that image got cached.
Not at all.
Any of these being different would not make this possible for a number of reasons. The author is talking about journalists and security minded people being at risk, but it’s hard to imagine anyone going above the defaults to protect would be at much risk if they didn’t take one or two of these steps as protection.
I assume from your comment you’re thinking “compromised device” to mean attacked, and those are synonymous. It’s just a phone with no protections.
That’s not a compromised device though, it’s a device with default settings.
Yes, which is a compromised device. A Windows machine without any antivirus or malware protection is a compromised device, for example.
Read the back half of this writeup and realize the target audience should be people with basic security steps taken. No journalist going out of their way to talk to whistleblowers is going to have a default settings phone, or any phone on them at all for that matter I would expect.
Windows machines have default antivirus. I would not expect disabling push notifications to be a basic security measure. Pretty much everyone has push notifications, including the target audience. A lot of them also don’t take a device-wide VPN because they expect only websites to track them.
The user profile picture is not an attachment.