Hi folks! The ETH team of prof. Kenny Paterson presented two vulnerabilities on Signal yesterday on the IACR RWC conference, together with researchers from Max Planck Institute and Radboud: https://iacr.org/submit/files/slides/2026/rwc/rwc2026/29/29_slides.pdf (check slide 33!)
They contacted us some weeks ago, because they were quite sure the same vulnerability existed in Whisperfish, Flare, and family. The issue was patched in beta 39, within the vulnerability disclosure window. Signal patched and released it before us, but we were still taken in the loop. I’m quite happy with how the collaboration went here, and I’m quite happy that we’re taken serious enough to be contacted for such reports!
Happy whispering! 