storm
Ibrahim is a security engineer focused on the security and privacy of end-to-end encrypted (E2EE) messaging applications, including WhatsApp, Telegram, and Signal. His research explores vulnerabilities in these systems, from zero-click attacks to metadata leaks with the goal of strengthening the guarantees they provide to billions of users worldwide.
In addition, Ibrahim has over a decade of experience advancing program analysis and static analysis techniques to detect and prevent vulnerabilities at scale. He has contributed to securing massive codebases in languages such as PHP, Python, and Java, building tools that help developers and security teams identify and remediate issues more effectively.
Session
This talk is a walkthrough of a security review to Signal, one of the most widely used E2EE messaging applications. Instead of focusing purely on cryptography, this review examines how Signal’s implementation.
We’ll begin with Signal’s 1:1 messaging system, covering Double Ratchet, Sealed Sender, and encrypted profile data. This section highlights a zero-click vulnerability in device synchronization that allowed attackers to silently edit, delete, or inject messages.
We’ll then turn to Signal’s groups, with emphasis on zero-knowledge membership validation and authorization. Here, I’ll present a vulnerability that enabled privilege escalation, and unauthorized rejoining of groups, effectively breaking group authorization.
The talk concludes with lessons learned from this review and a call to action for researchers to engage with Signal’s open-source ecosystem to further strengthen its security.