For all of our safety, consider submitting a bugreport.
Privacy
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
Thanks for the Link. I submitted a report.
link to report so we can track? thanks!
I don't think it's the same user, but here's a report on GitHub with same repro
This is a totally different thing, and I also don't get what the problem of this user is. He wants to share a picture and then just like on android the list of your recent chats opens where of course the pofilepic shows to know where you want to send it to, and he somehow doesn't want the profile pic to be there even tho this is totally normal behavior from android and iOS since... always? Or do I misunderstand his problem because I don't use iOS? Well the most important part, it doesn't sound like my problem at all.
What that user is describing is very serious. They are saying iOS can reach into Signal and extract data.
The user is describing iOS' share sheet, which Signal seems to advertise as a feature. The OS isn't reaching in and grabbing data, Signal is providing data to the OS.
Also note that said user signaled this on the Signal-Android repo, which combined with their inability to find this info, when i don't even own an iOS device, makes me think they aren't the most observant user out there.
I just followed his link and submitted my report. Don't have any link.
I just counted. Signal leaked 56 random people to me.
Has anyone else been able to reproduce this? I just tried and was not able to.
OP, is it possible these people were in group chats you were part of?
I still don't see any bug report anyone can follow up on.... I cannot trust OP's experience until that's linked here.
The bug report forum from Signal doesn't give you any link.
No, they are not. I'm in two groups. None of them are in the groups. I only use Signal for Real life friends from my Country. I never joined any random group. These people are from all over the world.
Group chats very likely. There are often sync issues from mobile, so these may just be old spam or group chat numbers.
Could it be that these are spam numbers that tried to reach you at some point but were blocked before they could?
They should have added usernames YEARS ago, but instead they go and remove SMS support in the client...
Why did someone see that I joined Signal? People who already know your number and already have you in their contacts see that they can contact you on Signal. Nothing is sent to them by your Signal app or the Signal service. They just see a number they know is registered. If someone knows how to send you an insecure SMS, we want them to see that they can send you a Signal message instead.
Why did I see that my contact joined Signal? You are notified when someone that is stored in your contact list is a new Signal user. If you can send an insecure SMS to a contact, we want you to know you can send a Signal message instead.
I hate this.
So Signal does not protect against those that fill their contacts with every existing number?
But also, this does not explain why is it only happening in the desktop app for OP
Protect against what? People knowing you have Signal? Excuse me if it's obvious to everyone else, but I'm struggling to understand the issue here.
Huge if true! You could conceivably submit your phone to a Cybersecurity company and share in any reward.
Help us with:
- Your OS Version
- OS settings that are possibly related
- How you obtained Signal
- Signal version
- Video proof
- Steps to reproduce
Who knows how to compute a hash for an installed mobile phone app? We need to compare it with legit.
The video proof. It also shows the OS and Steps to reproduce. How I obtained Signal: Flathub Signal Version: 6.38.0 OS Settings: Nothing relevant.
I've been getting spam on signal. I wonder if this is how they got my number
Noticed in one of your comments this is happening on Signal desktop. Is this a windows machine? Maybe update your post so people are aware it's no on Android
Use molly
My confidence in signal is greater than my confidence in a random fork. Privacy is hard... So I feel it's better to trust something less than ideal, than to trust a random dude promising to solve all problems...
That's just my threat model.
Its not a problem with the Android App.
deleted
56 different numbers from all over the world, and all of them are actually real and have signal? I doubt I accidentally do something like this haha :)
am glad that https://simplex.chat doesn't even need to touch sensitive personal data strong selectors such as phone numbers or email addresses!
Why is this being downvoted?
I think some people get lost and don't realize that this is a privacy-centric community.
The mere potential for identifier leaking is 100% anti-privacy.
Privacy aside, but just for a second - if we don't hold ourselves to a higher standard, our standard will just be lower. That's all that will happen.
Likely because while simplex looks great and is very promising, it doesn't add much to the conversation here. Signal is primarily a replacement for SMS/MMS, this means people generally would want their contacts readily available and discoverable to minimize the friction of securely messaging friends/family. Additionally it's dangerous to be recommending a service that hasn't been audited nor proven itself secure over time.
a service that hasn't been audited
- Announcement: The security audit was performed in October 2022 by Trail of Bits, and most fixes were released in v4.2.0
- Audit: Trail of Bits - February 2, 2023 - SimpleX Chat - Security Assessment
Edit: provided link to audit
This is what the docs say.
https://support.signal.org/hc/en-us/articles/360007061452-Does-Signal-send-my-number-to-my-contacts-