Skip to main content
  1. Home
  2. Phones
  3. Mobile
  4. News

Vulnerability in Signal messaging app could let hackers track your location

Add as a preferred source on Google

A vulnerability in the secure messaging app Signal could let a bad actor track a user’s location, according to findings from cybersecurity firm Tenable.

Researcher David Wells found that he could track a user’s movements just by calling their Signal number — whether or not the user had his contact information. This could be a big problem for victims of stalking, or for activists and journalists who are trying to avoid government or law enforcement detection to leak information or act in a whistleblower capacity.

Recommended Videos

There are two aspects to the vulnerability, Wells said. One is that if two Signal users have each other as contacts, it’s possible for them to determine each other’s location and IP address by calling, even if the person being called doesn’t answer the phone.

“That feature is not well advertised, and it’s interesting that someone could disclose your location if they’re your contact,” Wells said. “That’s kind of odd.”

It turns out that even if you don’t have a person in your contacts list, they can still roughly determine your rough location just by calling you on Signal. This works even if you don’t pick up or see the call.

“Let’s say I have a burner phone and I just ring your phone, and I do it so quickly that all you see is a missed call from some number,” Wells said. It turns out that’s enough for the caller to see what DNS server your phone automatically connects to. “Usually, it’ll be somewhat near you,” Wells continued. “So I can force that DNS server [near you] to talk to me. By getting that information, I know what DNS server you’re using and I can determine your general location.”

“The core of the issue is that you’re helpless,” Wells said. Simply by calling your phone, which you can’t control, a threat actor could determine your general location.”

“It’s not like clicking on a link [as in phishing],” he said. “Anyone can do this to you.”

Image used with permission by copyright holder

Signal has reportedly already released a patch for the vulnerability via Github, but as of now, it is not yet available through any app stores.

Signal declined to publicly comment when asked about the reported vulnerability, but Wells told Digital Trends that he heard the team was working on an update that would patch the problem.

Signal recently announced it would be rolling out PIN numbers for people to use instead of phone numbers, which may help plug the security hole.

The vulnerability also has limitations. The method isn’t 100% reliable; at one point, Wells called an associate in Pennsylvania as an experiment, and the associated DNS server that responded was 400 miles away in Toronto.

“It’s very coarse,” Wells admitted.

The researcher also wasn’t able to determine a person’s specific address, for example. But when a callee’s phone connected to certain servers, he was able to see clearly what city they were in and track their daily movements.

“We’re not cracking Signal’s encryption or saying don’t use Signal. The sky isn’t falling,” he said. “But for a certain subset of people, this is going to be a problem.”

Maya Shwayder
I'm a multimedia journalist currently based in New England. I previously worked for DW News/Deutsche Welle as an anchor and…
Samsung Galaxy Z Flip 8: Everything we know about the upcoming clamshell folding phone
Of the three phones expected to arrive at Galaxy Unpacked, the Flip 8 is shaping up to be the most underwhelming.
Three Galaxy Z Flip 7 models next to each other

The Fold 8 Ultra could get a sharper display, a more powerful chipset, a new camera, and a larger battery. Samsung’s purported wider foldable, the Fold 8, is expected to solve the most common problem with tall-body, narrow cover screens by adopting a new aspect ratio. The Flip 8, on the other hand, could only debut with a new chip, and not a Snapdragon one. 

The Flip 7 wasn’t a bad clamshell by any measure. However, it's been one year, and the memory crisis has already hit the smartphone market hard. In a tricky cost-to-margin situation, the Flip 8 could end up getting a price hike without any major improvements, and that might not sit well with potential buyers.

Read more
Google Contacts borrows a handy iPhone trick to make sharing your number easier
google-contacts-app

Google is rolling out a small but useful update to the Contacts app on Android that makes it much easier to find and share your own contact details. Instead of digging through settings or creating a separate contact for yourself, you'll now see a dedicated 'Your Info' card at the very top of your contacts list.

The feature gives you quick access to your phone number, email addresses, and other personal details while also adding a faster way to share them with others. The update is arriving with Google Contacts version 4.83.13.940538822 and is rolling out widely (via 9to5Google).

Read more
Another Apple price hike just landed, this time on Apple One
Family and Premier Apple One subscribers will now pay $24 more each year.
Apple One

Apple has raised the monthly price of its Family and Premier Apple One bundles in the US. The Family plan now costs $27.95 per month, up from $25.95, while Premier has climbed from $37.95 to $39.95. Both plans are now $2 more expensive each month, adding another $24 to the annual bill. The Individual plan remains unchanged at $19.95 per month.

The increase arrives shortly after Apple raised subscription prices for Apple Music across its student, individual, and family plans. New AppleCare+ customers buying coverage for Macs and iPads have also been hit by higher prices recently.

Read more