Decoding Signal: Understanding the Real Privacy Guarantees of E2EE
Black Hat USA 2025 · Day 1 · Briefings
A 15-year veteran security engineer conducted a comprehensive, collaborative security review of Signal — one of the few messaging applications that fully implements encrypted profiles, the double ratchet protocol, and sealed sender. He found and disclosed multiple vulnerabilities: an iOS client that accepted and processed unencrypted plaintext messages (including injected data messages), an Android client that processed plaintext envelopes without validating their content type, and — most critically — an Android flaw that allowed any user to send spoofed sync messages to another user's linked devices, enabling configuration tampering and message injection. The sync message bug was awarded a CVE with a score of 8.5 against the Whisperfish downstream client. ---
AI review
Careful, collaborative, technically deep Signal review that found real bugs — not just in theory but in production code with a working demo against the sync message vulnerability. The result is a talk that is simultaneously a Signal endorsement and a critique: the gold standard still ships exploitable bugs.