Stagefright Vulnerability: No way to disable auto-downloading of MMS #3817
Comments
|
We don't do any pre-processing that involves stagefright. There are no technical details at all available about this vulnerability (for maximum hype), but you'd have to physically tap on the media and then click through a warning about playing media insecurely before stagefright got involved. |
|
Wouldn't it be great if Github had a built-in voting system for bugs. In the meantime, I suppose all I have is a 👍 to show my support for how awesome TextSecure/Signal is. 😄 |
|
In case someone comes across this later, these appear to be the relevant commits: |
|
@myhndl and everyone else who looks for the relevant commits: There seem to be more commits from Joshua Drake (jduck) which are relevant: Apparently Julian Strobl did apply Stagefright fixes to the branch CM-10.1: There is a commit by Brint E. Kriebel (author Marco Nelissen) which got merged into various branches: EDIT: |
|
I don't always patch security holes affecting |
|
It's a critical vulnerability but I can't find an option in the current version to disable auto-downloading MMS. When there will be an update? |
|
So you think all the Stagefright is hype? Really? Are you kidding? I tested it and sent me a SMS and I did not had to click anywhere to get it downloaded. It was automatically downloaded and I got a push notification. |
|
afaik just video files are affected, no? Are you sure video files are previewed as well? |
|
No it affects everything parsed by the Stagefright library, including pictures and so on. That's why it can so easily be exploited in multiple ways, including MMS and files downloaded by the browser. See also: https://en.wikipedia.org/wiki/Stagefright_%28bug%29#Mitigation |
|
@rugk Please don't spread misinformation, there is currently nothing in the Signal code base that touches stagefright without user interaction. Everything in question here is open source, so if you think there's an vulnerability associated with operations like parsing JPG files or whatever on Android, please cite your source. Everyone is fixated on MMS, but MMS has nothing to do with the actual vulnerability. |
|
I see you where sceptical from the start. Do you use the media libary for displaying images? Especially how do you display the images you show when receiving MMS?
It's a very nice attack vector and every other attack vector does not really is important of Signal. (Or do you display downloaded files too? 😉) Has anyone tried the exploit with Signal? |
No, I was asking for information from the start. At that point, there was none.
If you click on your own link, you'll see there's nothing about rendering images in there.
Go for it. Nothing in Signal touches stagefright without user interaction. |
Okay, so obviously the image may not be a valid one. You're right Stagefright only seems to be about modified video files.
And what "user interaction" triggers it? Opening signal, opening a chat, saving a file? |
|
Playing the media |
|
Okay, that's unavoidable. So this issue can be consider closed. However there are other good reasons to add an option for disabling MMS retrieval. BTW:
That's British english. https://en.wiktionary.org/wiki/sceptical |
|
@rugk might I provide one point of empathy for the Whisper team? This is open source. They are providing this for free out of the goodness of their hearts. To even continue working on this project is something we are all grateful for. So if they set priorities for issues that come in, we are at their mercy, which means they likely won't re-open this issue or the new one you've linked to. And because this is open source, you're free to submit a pull request if in fact your priorities are not in alignment with the priorities of the Whisper group. Therefore, in the interest of not continuing to receive updates about this already closed issue, I'd encourage you to add a pull request to explicitly disable MMS - you clearly care about this and no one is stopping you from working on it. But the Whisper team has already explained that they don't see an issue at the moment, so simply asking won't be convincing enough, especially given that you aren't paying them to implement this feature. Implementing it yourself may be the best hope for disabling MMS in Signal. |
|
Closing an issue means either "we have fixed/implemented it" or "this is invalid/will not be implemented/wontfix/...". Also keep in mind that this option was mostly just denied by the Whisper team to implement, because this would not help to mitigate the Stagefright vulnerability. BTW I'm not keen on having this feature. I'm just suggesting it, because I think it could provide an additional value. We'll also see how many users like this idea and want to have it too if #3821 is reopened and users may see and comment there. |
In light of the recent news of the Android flaw via the Stagefright hack, one immediate way to mitigate risk is to disable auto-downloading of MMS. However, there is no way in the app right now to disable auto-downloading.
The text was updated successfully, but these errors were encountered: