Signal may be the most trusted messaging app, but it's not perfect.
Dan Goodin (US) - 15/9/2016http://cdn.arstechnica.net/wp-content/uploads/sites/3/2016/09/signal-for-android-800x653.jpg
Signal, the mobile messaging app recommended by NSA leaker Edward Snowden and a large number of security professionals, just fixed a bug that allowed attackers to add random data to the attachments of encrypted messages sent by Android users.
The update is available on this Github submission, but isn't yet available in the Google Play market for Android apps.
The message authentication-bypass vulnerability was one of two weaknesses found by researchers Jean-Philippe Aumasson and Markus Vervier in an informal review of the Java code used by the Android version of Signal. The bug made it possible for attackers who compromised or impersonated a Signal server to modify a valid attachment by adding random data to it. A second bug possibly would have allowed attackers to remotely execute malicious code, but Vervier told Ars that a third bug limited exploits to a simple remote crash.
Full Article
