295
Signal leaked random contacts to me! (feddit.de)
submitted 7 months ago* (last edited 7 months ago) by [email protected] to c/[email protected]
88 comments fedilink hide all child comments

When I press on some message to forward it, it shows me Random usernames of contacts I don't know. And it even shows some Mobile Numbers I don't know. For example, one number starts with +964 that's Iraq. I'm from Europe tho. These contacts and numbers are from all over the place.

Edit: This only happens on Signal Desktop. If I try to forward a message on Android it only shows my Contacts. And none of these unkown ones.

top 50 comments
sorted by: hot top controversial new old
[-] [email protected] 176 points 7 months ago* (last edited 7 months ago)

For all of our safety, consider submitting a bugreport.

[-] [email protected] 53 points 7 months ago

Thanks for the Link. I submitted a report.

[-] [email protected] 15 points 7 months ago

link to report so we can track? thanks!

[-] [email protected] 12 points 7 months ago

I don't think it's the same user, but here's a report on GitHub with same repro

[-] [email protected] 6 points 7 months ago* (last edited 7 months ago)

This is a totally different thing, and I also don't get what the problem of this user is. He wants to share a picture and then just like on android the list of your recent chats opens where of course the pofilepic shows to know where you want to send it to, and he somehow doesn't want the profile pic to be there even tho this is totally normal behavior from android and iOS since... always? Or do I misunderstand his problem because I don't use iOS? Well the most important part, it doesn't sound like my problem at all.

[-] [email protected] 12 points 7 months ago

What that user is describing is very serious. They are saying iOS can reach into Signal and extract data.

[-] [email protected] 12 points 7 months ago* (last edited 7 months ago)

The user is describing iOS' share sheet, which Signal seems to advertise as a feature. The OS isn't reaching in and grabbing data, Signal is providing data to the OS.

Also note that said user signaled this on the Signal-Android repo, which combined with their inability to find this info, when i don't even own an iOS device, makes me think they aren't the most observant user out there.

load more comments (1 replies)
[-] [email protected] 5 points 7 months ago

I just followed his link and submitted my report. Don't have any link.

[-] [email protected] 45 points 7 months ago

Has anyone else been able to reproduce this? I just tried and was not able to.

OP, is it possible these people were in group chats you were part of?

[-] [email protected] 16 points 7 months ago

I still don't see any bug report anyone can follow up on.... I cannot trust OP's experience until that's linked here.

[-] [email protected] 8 points 7 months ago

The bug report forum from Signal doesn't give you any link.

[-] [email protected] 9 points 7 months ago

No, they are not. I'm in two groups. None of them are in the groups. I only use Signal for Real life friends from my Country. I never joined any random group. These people are from all over the world.

[-] [email protected] 4 points 7 months ago

Interesting. Are there any other accounts on your phone that provide contacts? Maybe social media or other chat platforms? On Android you can see accounts in Settings > Passwords & Accounts (or somewhere similar; it varies a little between brands). You can also check inside your Contacts app by expanding the sidebar (again, varies by brand).

Just a thought. I don't have any other contact providers on my phone so I can't test it myself.

Please keep us posted if you get any official response or learn anything new!

[-] [email protected] 6 points 7 months ago

Nope. And I maybe had to add (did it now) that this only appears to be a problem with Signal Desktop. My signal app on android doesn't even show other contacts from strangers. I will update this if I get a response, of course.

[-] [email protected] 5 points 7 months ago

Group chats very likely. There are often sync issues from mobile, so these may just be old spam or group chat numbers.

[-] [email protected] 45 points 7 months ago

I just counted. Signal leaked 56 random people to me.

[-] [email protected] 35 points 7 months ago

Could it be that these are spam numbers that tried to reach you at some point but were blocked before they could?

[-] [email protected] 22 points 7 months ago* (last edited 7 months ago)

Huge if true! You could conceivably submit your phone to a Cybersecurity company and share in any reward.

Help us with:

  • Your OS Version
  • OS settings that are possibly related
  • How you obtained Signal
  • Signal version
  • Video proof
  • Steps to reproduce

Who knows how to compute a hash for an installed mobile phone app? We need to compare it with legit.

[-] [email protected] 12 points 7 months ago

https://imgur.com/a/a6CQSpA

The video proof. It also shows the OS and Steps to reproduce. How I obtained Signal: Flathub Signal Version: 6.38.0 OS Settings: Nothing relevant.

[-] [email protected] 4 points 7 months ago* (last edited 7 months ago)

I advise you stop using Signal Desktop immediately, they keep the database key in plaintext. Exposed over 5 years ago and still not fixed. Frankly I find this pretty pathetic. Making this safer could be as simple as encrypting such files with something like age and perhaps regenerate the keys on a frequent basis (yes I know full disk encryption is somehow a viable solution against unwanted physical access. But instead, they'd rather focus on security by network effect by adding shiny UX features instead of fixing infrastructural stuff, like improving trust by decentralization, not requiring phone numbers to join, or adding support for app pasphrase (which is available in case of Molly, along with regular wiping of RAM data which makes things like cold boot or memory corruption attacks harder)

[-] [email protected] 5 points 7 months ago

There is nothing more that I hate then typing on my Phone. I can't life without Signal Desktop.

load more comments (2 replies)
load more comments (9 replies)
[-] [email protected] 14 points 7 months ago

Wtf is happening in these comments

[-] [email protected] 13 points 7 months ago

I've been getting spam on signal. I wonder if this is how they got my number

load more comments (1 replies)
[-] [email protected] 10 points 7 months ago

Noticed in one of your comments this is happening on Signal desktop. Is this a windows machine? Maybe update your post so people are aware it's no on Android

[-] [email protected] 8 points 7 months ago

Use molly

[-] [email protected] 21 points 7 months ago

My confidence in signal is greater than my confidence in a random fork. Privacy is hard... So I feel it's better to trust something less than ideal, than to trust a random dude promising to solve all problems...

That's just my threat model.

[-] [email protected] 4 points 7 months ago* (last edited 7 months ago)

Also don't get me wrong. Molly might be written by less experienced programmers. And if it was written from scratch, it could be very likely it would contain more vulnerabilities per 1000 lines of code than standard Signal app. But it's mostly just it's a hardened superset sans some nasty stuff. I'd compare that more to how Calyx or GrapheneOS are to plain AOSP than how some low maintenance random custom ROM from XDA with fuckton of bells and whistles that will leave your bootloader unlocked is.

load more comments (6 replies)
[-] [email protected] 8 points 7 months ago

Its not a problem with the Android App.

[-] [email protected] 8 points 7 months ago* (last edited 7 months ago)

deleted

[-] [email protected] 29 points 7 months ago

56 different numbers from all over the world, and all of them are actually real and have signal? I doubt I accidentally do something like this haha :)

[-] [email protected] 5 points 7 months ago

This is what the docs say.

https://support.signal.org/hc/en-us/articles/360007061452-Does-Signal-send-my-number-to-my-contacts-

[-] [email protected] 4 points 7 months ago

am glad that https://simplex.chat doesn't even need to touch sensitive personal data strong selectors such as phone numbers or email addresses!

[-] [email protected] 13 points 7 months ago

Why is this being downvoted?

[-] [email protected] 13 points 7 months ago

I think some people get lost and don't realize that this is a privacy-centric community.

The mere potential for identifier leaking is 100% anti-privacy.

[-] [email protected] 5 points 7 months ago

Privacy aside, but just for a second - if we don't hold ourselves to a higher standard, our standard will just be lower. That's all that will happen.

load more comments (4 replies)
load more comments (3 replies)
[-] [email protected] 6 points 7 months ago

Likely because while simplex looks great and is very promising, it doesn't add much to the conversation here. Signal is primarily a replacement for SMS/MMS, this means people generally would want their contacts readily available and discoverable to minimize the friction of securely messaging friends/family. Additionally it's dangerous to be recommending a service that hasn't been audited nor proven itself secure over time.

[-] [email protected] 20 points 7 months ago* (last edited 7 months ago)

a service that hasn't been audited

Edit: provided link to audit

load more comments (1 replies)
load more comments (1 replies)
load more comments
view more: next ›
this post was submitted on 26 Nov 2023
295 points (95.1% liked)

Privacy

30011 readers
1573 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]