When I press on some message to forward it, it shows me Random usernames of contacts I don’t know. And it even shows some Mobile Numbers I don’t know. For example, one number starts with +964 that’s Iraq. I’m from Europe tho. These contacts and numbers are from all over the place.

Edit: This only happens on Signal Desktop. If I try to forward a message on Android it only shows my Contacts. And none of these unkown ones.

Elias Griffin
link
fedilink
22
edit-2
1Y

Huge if true! You could conceivably submit your phone to a Cybersecurity company and share in any reward.

Help us with:

  • Your OS Version
  • OS settings that are possibly related
  • How you obtained Signal
  • Signal version
  • Video proof
  • Steps to reproduce

Who knows how to compute a hash for an installed mobile phone app? We need to compare it with legit.

Instantnudeln
creator
link
fedilink
121Y

https://imgur.com/a/a6CQSpA

The video proof. It also shows the OS and Steps to reproduce. How I obtained Signal: Flathub Signal Version: 6.38.0 OS Settings: Nothing relevant.

But that is not official signal app…

Instantnudeln
creator
link
fedilink
21Y

Tell me any other more offical way to optain Signal on fedora. Signal only provides .deb files. Flathub is my only option.

You may try this:
toolbox create --image quay.io/toolbx-images/debian-toolbox:12
toolbox enter debian-toolbox-12
Than follow Signal instructions. You will have it installed, launch with signal-desktop. So you enter debian toolbox and launch Signal from it, that is Fedora atomic way.

I am not telling, that is 100% better, than Flathub version, but you may try just to see if problem is still there or not. Flathub version is also built from their debian file, it should be ok, but it also may contain some issues. If I would using Signal myself I would probably use Flathub, but if I had such issues I would definitly consider trying toolbox way.

Flathub. Opensuse has a repo but just use Flathub, Dependencies are a mess.

Instantnudeln
creator
link
fedilink
31Y

Oh you mean literally the source I said in the comment above.

Yup either official and through an Ubuntu/Debian container, or mess up your local system with the Opensuse Repo, or just use the Flatpak that just works

Instantnudeln
creator
link
fedilink
11Y

Yea so what I already do…

anti-idpol action
link
fedilink
5
edit-2
1Y

I advise you stop using Signal Desktop immediately, they keep the database key in plaintext. Exposed over 5 years ago and still not fixed. Frankly I find this pretty pathetic. Making this safer could be as simple as encrypting such files with something like age and perhaps regenerate the keys on a frequent basis (yes I know full disk encryption is somehow a viable solution against unwanted physical access. But instead, they’d rather focus on security by network effect by adding shiny UX features instead of fixing infrastructural stuff, like improving trust by decentralization, not requiring phone numbers to join, or adding support for app pasphrase (which is available in case of Molly, along with regular wiping of RAM data which makes things like cold boot or memory corruption attacks harder)

Instantnudeln
creator
link
fedilink
41Y

There is nothing more that I hate then typing on my Phone. I can’t life without Signal Desktop.

maybe try setting up a matrix bridge if you feel confident you can secure that properly. On one hand it might increase attack surface (use only servers and bridges with End to Bridge Encryption) but what’s an attack surface on software that is so ridiculously compromised. Also you can try using an alternative client such as Flare. Though YMMV, for me the last time I’ve used it it was quite rough around the edges but I’m happy to see it’s actively maintained so might be worth checking out.

Also no, flatpak doesn’t fix this issue. Yeah it provides some isolation which can be further improved with flatseal, and other defense-in-depth methods. But unless you are willing to face the trade-offs of using Qubes, you won’t compartmentalize your entire system. The key file in question is stored in ~/.local/share. I’m not denying vulnerabilities in userland applications, but thanks to it’s wide reach, often massive codebases and use of unsafe languages like C, it’s the core system or networked software that is the most common attack vector. And that doesn’t ship and will never ship via flatpak.

The most obvious way this is exploitable is directory traversal. But not only that. Just look up “Electron $VULNERABILITY”, be it CSRF, XSS or RCE. Sandbox escape is much easier with this crap than any major browser, since contextIsolation is often intentionally disabled to access nodejs primitives instead of electron’s safer replacements. Btw Signal Desktop is also an electron app.

Elias Griffin
link
fedilink
1
edit-2
1Y

This is super helpful, I may post this to infosec.exchange. Flathub makes this so much more difficult to find the reason for what looks like a real breach. I don’t use Flathub for security reasons so I don’t know if you can even isolate the PID? Anyone know?

I don’t want you to have to spend a lot of time or troubleshoot over the web but if you see anything that stands out as “wow shouldn’t be there/running” when you run these commands come back to us:

  1. ps the PID of Signal or secondarily, Flathub
  2. lsof -p PID
  3. strace
    • sudo strace -f -t -e trace=file -p PID
  4. sysctl kernel.randomize_va_space
    • pkill/killall Flathub/Signal and restart FH/Signal and see if it still presents the vulnerability

Wicked, thanks for sharing

Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 57 users / day
  • 383 users / week
  • 1.5K users / month
  • 5.7K users / 6 months
  • 1 subscriber
  • 3.13K Posts
  • 78.3K Comments
  • Modlog