Signal, the mobile messaging app recommended by NSA leaker Edward Snowden and a large number of security professionals, just fixed a bug that allowed attackers to add random data to the attachments of encrypted messages sent by Android users. The update is available on this Github submission, but isn’t yet available in the Google Play market for Android apps.
The message authentication-bypass vulnerability was one of two weaknesses found by researchers Jean-Philippe Aumasson and Markus Vervier in an informal review of the Java code used by the Android version of Signal.
