Make an appointment

Why Olvid is not affected by recent attacks targeting other mainstream messaging apps

March 23, 2026

The Case in Brief

Following alerts from the BSI and AIVD, the C4 (Cyber Crisis Coordination Centre) has published a note on the phishing campaign targeting certain instant messaging apps.

The note highlights two types of attacks:

  • Fake Group Invitation: The targeted user is tricked into scanning a QR code, which actually allows the attacker to add a device they control to the victim’s messaging account.
  • Direct Solicitation Attack: The targeted user receives a message designed to extract confidential information.

The note states that "all other mainstream instant messaging apps are affected by this method".

All of them? Well, not entirely… One small messenger made by indomitable Gallic cryptographers still holds out against the adversaries. And that’s Olvid, of course. Let’s see why.

On Fake Group Invitations

The first attack is possible on any messaging app that allows:

  • Adding a device to an account via a simple QR code scan,
  • Joining a group via a simple QR code scan.

The common thread: a simple QR code scan. These two operations, though very different in nature, use extremely similar mechanisms.

Adding a device is a particularly sensitive and relatively rare operation, and it should not rely on a minimal, unilateral interaction. In other words, allowing a device to be added via a single QR code scan is not secure enough.

That’s why Olvid uses a specific, interactive method requiring real-time action on each device: the first device displays an 8-digit code that must be entered on the second device, which then displays 8 new digits to be entered on the first. Additionally, there is no "external" method (link, QR code, etc.) to initiate device addition; the user must take the initiative to go to the right place in the app to start the process.

While no method can guarantee absolute protection against social engineering, Olvid’s device addition mechanism significantly complicates the attacker’s task.

On Direct Solicitation Attacks

This second threat relies on classic phishing, achievable through any communication channel that allows a user to impersonate someone else. Many online scams begin this way.

It’s no surprise that these attacks are technically trivial via email or SMS, channels not designed to be secure. However, we believe they should not be acceptable on messaging apps labeled as "secure." These apps should, as much as possible, protect their users by cryptographically blocking spam.

Olvid does exactly that, but not all messaging apps follow suit.

This difference stems from a fundamental design choice: most messaging apps allow users to "discover" other users automatically. Regardless of whether this feature is considered convenient, essential, intrusive, or annoying, it inherently exposes every user to unsolicited messages.

That’s why Olvid emphasizes end-to-end authentication. Whether in person or remotely, adding an Olvid contact always requires explicit user action, forcing them to verify the identity of their new contact. The result: spam is impossible on Olvid, drastically reducing the risk of phishing.

A Note on the Digital Hygiene Recommendation to Set a PIN Code

The C4 note suggests that setting an "app PIN" prevents third-party account takeovers.

This isn’t always true.

Take Signal, for example: When you change phones, Signal asks you to verify ownership of your phone number via an SMS code. The app then prompts you to enter your PIN, but you can skip this step. The PIN is only required to restore settings and contacts, and it’s not essential for account recovery[1].

An attacker could also skip the PIN step, allowing them to receive and send messages in your name.

Why did Signal make the PIN optional for account recovery?

Imagine if the PIN were mandatory. A user gets a new SIM card with a phone number previously owned by someone else[2]. If the previous owner used Signal and set a PIN, the new (legitimate) user would be locked out of the app forever without knowing the code.

Signal cannot enforce a mandatory PIN for phone changes[3], so the PIN does not actually prevent third-party account takeovers.

Some messaging apps, by design, avoid this issue entirely. This is for example the case with Olvid (which doesn’t rely on phone numbers and allows users to create multiple profiles) and SimpleX Chat.

Strong encryption requires strong authentication

Before concluding, it’s crucial to highlight one key point: neither this post nor the C4 note mentions end-to-end encryption, even though the targeted apps all use it.

The reason is simple: end-to-end encryption alone does not guarantee true end-to-end security. It must be paired with end-to-end cryptographic authentication.

End-to-end security
=
End-to-end authentication
+
End-to-end encryption

Conclusion

The C4 note clearly describes two attacks that expose users of certain mainstream messaging apps.

We say "certain," not "all."

Indeed, contrary to what the note implies, Olvid is not affected by these attacks.

Why? Because Olvid is designed to make no compromises on security while remaining accessible, simple to use, and free for everyone.

So, ladies and gentlemen of the C4, isn’t that worth an extra digital hygiene recommendation? Use Olvid!

[1] The ‘Registration Lock’ option in Signal allows you to require the PIN to be entered when switching phones, but only for a limited period of 7 days.

[2] As far as we know, the operator has between 45 and 120 days to reallocate a number.

[3] Another reason is that some users simply forget their PIN, and Signal has no way of resetting it, for good security reasons.

Find and share the French version here : https://olvid.io/articles/c4-alert-phishing/fr/.