When I press on some message to forward it, it shows me Random usernames of contacts I don’t know. And it even shows some Mobile Numbers I don’t know. For example, one number starts with +964 that’s Iraq. I’m from Europe tho. These contacts and numbers are from all over the place.
Edit: This only happens on Signal Desktop. If I try to forward a message on Android it only shows my Contacts. And none of these unkown ones.
This is a totally different thing, and I also don’t get what the problem of this user is. He wants to share a picture and then just like on android the list of your recent chats opens where of course the pofilepic shows to know where you want to send it to, and he somehow doesn’t want the profile pic to be there even tho this is totally normal behavior from android and iOS since… always? Or do I misunderstand his problem because I don’t use iOS? Well the most important part, it doesn’t sound like my problem at all.
The user is describing iOS’ share sheet, which Signal seems to advertise as a feature. The OS isn’t reaching in and grabbing data, Signal is providing data to the OS.
Also note that said user signaled this on the Signal-Android repo, which combined with their inability to find this info, when i don’t even own an iOS device, makes me think they aren’t the most observant user out there.
As far as I know, it’s just some sex hotline I found online. Nothing on the website said it’s for Gay people. So I guess you just tried to insult me with “gay” by asking if it’s my Gay agency. xD Do you actually think that “gay” is an insult? Jokes on you, I’m Bisexual. So I’m half gay, now what? xD Insulting someone with “gay” in 2023. Man, you are really fucking cringe. Try to get some actual insults. 4th graders insult better than you, maybe ask them.
No, they are not. I’m in two groups. None of them are in the groups. I only use Signal for Real life friends from my Country. I never joined any random group. These people are from all over the world.
Interesting. Are there any other accounts on your phone that provide contacts? Maybe social media or other chat platforms? On Android you can see accounts in Settings > Passwords & Accounts (or somewhere similar; it varies a little between brands). You can also check inside your Contacts app by expanding the sidebar (again, varies by brand).
Just a thought. I don’t have any other contact providers on my phone so I can’t test it myself.
Please keep us posted if you get any official response or learn anything new!
Nope. And I maybe had to add (did it now) that this only appears to be a problem with Signal Desktop. My signal app on android doesn’t even show other contacts from strangers. I will update this if I get a response, of course.
Yup either official and through an Ubuntu/Debian container, or mess up your local system with the Opensuse Repo, or just use the Flatpak that just works
This is super helpful, I may post this to infosec.exchange. Flathub makes this so much more difficult to find the reason for what looks like a real breach. I don’t use Flathub for security reasons so I don’t know if you can even isolate the PID? Anyone know?
I don’t want you to have to spend a lot of time or troubleshoot over the web but if you see anything that stands out as “wow shouldn’t be there/running” when you run these commands come back to us:
I advise you stop using Signal Desktop immediately, they keep the database key in plaintext. Exposed over 5 years ago and still not fixed. Frankly I find this pretty pathetic. Making this safer could be as simple as encrypting such files with something like age and perhaps regenerate the keys on a frequent basis (yes I know full disk encryption is somehow a viable solution against unwanted physical access. But instead, they’d rather focus on security by network effect by adding shiny UX features instead of fixing infrastructural stuff, like improving trust by decentralization, not requiring phone numbers to join, or adding support for app pasphrase (which is available in case of Molly, along with regular wiping of RAM data which makes things like cold boot or memory corruption attacks harder)
maybe try setting up a matrix bridge if you feel confident you can secure that properly. On one hand it might increase attack surface (use only servers and bridges with End to Bridge Encryption) but what’s an attack surface on software that is so ridiculously compromised. Also you can try using an alternative client such as Flare. Though YMMV, for me the last time I’ve used it it was quite rough around the edges but I’m happy to see it’s actively maintained so might be worth checking out.
Also no, flatpak doesn’t fix this issue. Yeah it provides some isolation which can be further improved with flatseal, and other defense-in-depth methods. But unless you are willing to face the trade-offs of using Qubes, you won’t compartmentalize your entire system. The key file in question is stored in ~/.local/share. I’m not denying vulnerabilities in userland applications, but thanks to it’s wide reach, often massive codebases and use of unsafe languages like C, it’s the core system or networked software that is the most common attack vector. And that doesn’t ship and will never ship via flatpak.
The most obvious way this is exploitable is directory traversal. But not only that. Just look up “Electron $VULNERABILITY”, be it CSRF, XSS or RCE. Sandbox escape is much easier with this crap than any major browser, since contextIsolation is often intentionally disabled to access nodejs primitives instead of electron’s safer replacements. Btw Signal Desktop is also an electron app.
Also, Signal’s centralization, sussy shenanigans with mobilecoin and not updating their server app repo for over a year (latter they ceased afterwards iirc but still very detrimental to trust, especially since git reflog manipulation is ridiculously easy) and dependence on proprietary libraries and network services (in case of libraries there are thankfully at least a couple forks without such dependencies). Plus most of their servers that aren’t necessarily CDN being located in glowieland…
The huge red flag to me is that Signal is no longer decried as the devil of western intelligence anymore.
Frank Figliuzzi (former FBI cointel) and Chuck Rosenberg (former DEA admin) used to rail on about all of the dangers posed by Signal, but I haven’t heard an unkind word in over a couple years now.
French authorities consider it a “terrorist app”. Louis Rossmann made a video about it. It was in some court case but at this point I don’t remember whether it was a local court or higher and frankly don’t care enough to check.
We each make a choice according to our level of comfort in concern to privacy, or lack thereof, in how we choose to conduct ourselves afforded by the solutions we utilize and the rituals we observe.
Remember, privacy can never be enforced or guaranteed, only encouraged. Best practices, as available, as it were.
No worries, it seems like you understand perfectly - I was just reflecting on the downvotes above.
I like it here because the people often seem real, and the voting generally seems (to me, anyway) to follow more of a meritocratic pattern than whatever the fuck has been going on at the other place for the last ten or more years.
We should probably try to really understand these differences so we might get better at designing communities that are actually sustainable. Maybe I am just getting old - I’m tired of starting over, I’m tired of watching great communities self-destruct.
Likely because while simplex looks great and is very promising, it doesn’t add much to the conversation here. Signal is primarily a replacement for SMS/MMS, this means people generally would want their contacts readily available and discoverable to minimize the friction of securely messaging friends/family. Additionally it’s dangerous to be recommending a service that hasn’t been audited nor proven itself secure over time.
Noticed in one of your comments this is happening on Signal desktop. Is this a windows machine? Maybe update your post so people are aware it’s no on Android
Why did someone see that I joined Signal? People who already know your number and already have you in their contacts see that they can contact you on Signal. Nothing is sent to them by your Signal app or the Signal service. They just see a number they know is registered. If someone knows how to send you an insecure SMS, we want them to see that they can send you a Signal message instead.
Why did I see that my contact joined Signal? You are notified when someone that is stored in your contact list is a new Signal user. If you can send an insecure SMS to a contact, we want you to know you can send a Signal message instead.
You can check that in the phone app too. Hit new message, enter the numer, hit "New message to… " and it’ll tell you if it isn’t known. There is rate limiting in that function, you’d need a lot of signal accounts to sweep all phone numbers.
You could also try signing up to signal using the number you want to check.
Neither way however you would get the signal name or profile pic of the number if I understand it correctly, that would get sent if they reply to you.
It’s a necessary feature if you are using phone numbers. Signal has to tell you if your message has any chance of being received.
I don’t want to message someones number, to find out they never got my message and don’t have signal a few days later, and I don’t want to message them via whatsapp too, giving them a chance to use that when they have signal.
Add comment