Signal Messenger bug bypasses Touch ID and passcode on any iPhone

A security vulnerability in the ultra-secure messaging app, Signal Private Messenger, allows you to unlock any iPhone. Here’s how this proof-of-concept works and how you can keep your device safe.

Anyone can bypass TouchID and passcode 

It seems like Signal, the secure messaging app endorsed by Edward Snowden, is not so secure after all.

A new vulnerability in the Signal application allows anyone to read your chats without entering the passcode or authenticating Touch ID.

Labeled CVE-2018-9840, this bug was discovered by Leonardo Porpora, a 17-year old Italian student.

Here’s a proof-of-concept for this bug.

Signal Private Messenger first introduced passcode protection on April 3, 2018.

Hacker Leonardo began testing the app for flaws and successfully bypassed the in-app Touch ID and passcode restrictions.

He reported this security vulnerability to the developers when App Store was distributing version 2.23.

Fortunately, the developers immediately released a patch in version 2.23.1.1. They also recognized this bug on their App Store page here.

How to use CVE-2018-9840 to unlock Signal 

Method 1

  • Open Signal app.
  • When the app prompts you to enter the passcode, tap “Cancel”.
  • Tap the “Home” button.
  • Reopen the app without the passcode or Touch ID prompts.

Method 2

  • Open Signal app.
  • When it prompts you to enter the passcode, tap “Cancel”.
  • Press the “Home” button.
  • Double tap the “Home” button.
  • Close the app and reopen it.
  • Repeat steps 2 and 3 again.
  • You can now open the app without any restrictions.

How can you stay safe?

The only solution to keep your messages and chats secure is to upgrade to the latest version.

You can download the latest version, that is, 2.23.2 below.

I would not recommend staying on older versions for security reasons. Furthermore, the latest version also brings a good few performance and feature updates.

For more security news and updates, follow us on Twitter and Facebook.

Leave a Reply