[Zarathust]

This indeed looks like a FUD statement, implying that they can have an infinite amount of potential vulnerabilities. Realistically though, writing parsers that do not yield control of your whole device is not that complex. The people exploiting iOS zero days can certainly do it.

[Karunamon]

You're not wrong at all, but if they're shipping these garbage ancient versions of ffmpeg, there are likely oodles of other bugs lurking around. And, if Cellebrite acts like most other companies who've had their awful security exposed, they will fix only this bug and leave everything else.

[kevinmchugh]

It's not that hard but neither is shipping patched versions of ffmpeg. This company will have some catching up to do.

[spoonjim]

But it might be easier for Cellebrite to just stop exfiltrating data from Signal. Of course, other apps could discover similar vulnerabilities.

[chopin]

That's not enough. With file system permission, Signal could place files anywhere (like prepared gifs in the Pictures folder).

I think this taints any phone having Signal installed.

[da_big_ghey]

the signal are capable for finding more exploit with more time. important piece is that exists now a reasonable doubt on data from the celebrite, so it are not so good for evedince.