Not to mention, from what I see this is kinda "easy" to fix if it's a journalist or other high-tier person:
1. Zero-click is based on push notifications, which can be disabled/show only name not actual content
2. In Signal settings you can turn off automatic download of Media files, which will mitigate the 1 click aspect too (Will still work after downloading file itself tho)
And as always, if your thread model is high enough, you def should use VPN or TOR
For regular users this doesn't really do much harm, assuming you don't have attackers specifically targetting you, and even if you did, cloudflare datacenters aren't much reliable source of exact location (author himself said ~250 miles radius).
I still think this is an very interesting finding, and I believe signal should actually try to mitigate this somewhat instead of just saying it's not their responsibility, but I don't believe this is that severe.
MarkAssPandi (tiny)
npub1ft…86lte
2025-01-21 22:29:36 UTC
in reply to nevent1q…x9qa
Author Public Key
npub1ft6jz0x6447em8cp6sj8x09cpgwxwtyx0zs74r3jpe9rsetmquwqr86ltePublished at
2025-01-21 22:29:36 UTCEvent JSON
{
"id": "c15904f6a74f5587d524674e572a54ac5ca6c66e3c64e53651e0cd414fd606ef",
"pubkey": "4af5213cdaad7d9d9f01d424733cb80a1c672c8678a1ea8e320e4a38657b071c",
"created_at": 1737498576,
"kind": 1,
"tags": [
[
"p",
"ea77f5584eeec06087f47a9fe82692723f1feb889eaf3e3b885997ec2e776aec"
],
[
"e",
"22a9d4cd82626ed194a3203dadaa1c1db3f07f803af9aa76c26b9628716d3c4f",
"",
"root",
"ea77f5584eeec06087f47a9fe82692723f1feb889eaf3e3b885997ec2e776aec"
],
[
"proxy",
"https://fedi.fabrykajabo.li/notes/a3am3ra5s8fj0pft",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://fedi.fabrykajabo.li/notes/a3am3ra5s8fj0pft",
"pink.momostr"
],
[
"-"
]
],
"content": "Not to mention, from what I see this is kinda \"easy\" to fix if it's a journalist or other high-tier person:\n1. Zero-click is based on push notifications, which can be disabled/show only name not actual content\n2. In Signal settings you can turn off automatic download of Media files, which will mitigate the 1 click aspect too (Will still work after downloading file itself tho)\n\nAnd as always, if your thread model is high enough, you def should use VPN or TOR\n\nFor regular users this doesn't really do much harm, assuming you don't have attackers specifically targetting you, and even if you did, cloudflare datacenters aren't much reliable source of exact location (author himself said ~250 miles radius).\n\nI still think this is an very interesting finding, and I believe signal should actually try to mitigate this somewhat instead of just saying it's not their responsibility, but I don't believe this is that severe.",
"sig": "ccc028d6d22dc4dfe93074193de8298cb05271ddd4481b27fdc52ad54261333eb892f35572d99f33557d80f5afe2bd51f9ba3cb7a54d859bf73891eca0504e58"
}