| Title | Signal Signal Android App 7.41.4 (Current) Improper Authentication |
|---|
| Description | Improper Authentication Handling After Biometric Modification in Signal Android App
Signal's Android messaging application fails to enforce re-authentication after biometric credentials on the device are modified (e.g., a new fingerprint is added). This flaw allows an attacker with temporary physical access to the device and the device's PIN or password to enroll their own biometrics and subsequently unlock the Signal app without being prompted to re-enter the user's Signal PIN or password.
In practical scenarios, such as phone repair, technicians often require the user to either share or remove the device PIN or password. This allows them to access device settings and add biometric credentials while unsupervised. Because Signal does not detect this biometric enrollment event and does not invalidate existing biometric trust, the attacker can use their own fingerprint to access Signal, view messages, or impersonate the victim.
This vulnerability impacts both confidentiality and message integrity. As of this submission, Signal has not responded to the disclosure attempt and the issue remains unpatched.
----------NOTES TO REVIEWER---------
- The vast majority of Android apps invalidate biometric trust when biometrics are added, so this is abnormal behavior. Example Apps: Samsung Pay, Chase, etc.
- Please do not make the provided PoC video public. If this is accepted I can edit the video to look more professional and upload it elsewhere.
- I emailed signal's security distro months ago and they haven't replied. I even offered to write a patch for this.
- This is my first CVE submission, so if I'm missing anything or you need additional info, please let me know! |
|---|
| Source | ⚠️ https://drive.google.com/file/d/1tI0bC8X8546ActlzGlmSU-AhCdD950y4/view?usp=drivesdk |
|---|
| User | S0lidstat3 (UID 85778) |
|---|
| Submission | 05/27/2025 01:24 AM (10 months ago) |
|---|
| Moderation | 06/05/2025 07:05 AM (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 311236 [Signal App 7.41.4 on Android Biometric Authentication critical step in authentication] |
|---|
| Points | 20 |
|---|