> Maybe Signal's documentation will tell you.

Not the person you replied to, but I just tried googling half a dozen different terms and got results that have nothing to do with Signal.

> Remember that Signal is designed for non-technical users.

That does not prevent them from putting up a warning message that says "You just scanned a code which will allow another device to read all future messages sent to you, and send messages from your identity. Are you sure you want to do that? And the button says "link devices", not "yes" or "no."

I think the frustration here is that Signal petulantly and paternalistically refuses to allow you to fully sync to another device (and for years refused to even allow you to back up messages) because supposedly we can't be trusted with such a thing...but then they leave the QR code system so idiotically designed it's apparently trivial to phish people into linking their devices to malicious actors?

Why the fuck does scanning a QR code, without having first selected "link device", even open that dialog? Or require a PIN code they obsessively force us to re-enter all the time?

It's obviously ripe for abuse.

We admonish people for piping a remote document into their shell but a QR code that links devices with one click is OK?

> Do you have reason to think there is not confirmation?

The reason is just that in the article it says:

> threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance

That phrasing suggests to me that the scanning of the QR code, on its own, performs the linking. That may not be the case, but if so I'd say the wording is misleading or at least imprecise.