Source: TechCrunch
Attackers are exploiting the friction between Signal's encrypted messaging and its cloud backup feature. Users must manually manage a recovery key to access backed-up messages, creating an ideal social engineering vector. The gap is stark: security-conscious consumers choose Signal to avoid surveillance, yet the operational complexity forces them to manage secrets outside the app's protection, leaving them vulnerable to credential theft at the moment they're trying to protect their data.