When I press on some message to forward it, it shows me Random usernames of contacts I don’t know. And it even shows some Mobile Numbers I don’t know. For example, one number starts with +964 that’s Iraq. I’m from Europe tho. These contacts and numbers are from all over the place.
Edit: This only happens on Signal Desktop. If I try to forward a message on Android it only shows my Contacts. And none of these unkown ones.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
much thanks to @gary_host_laptop for the logo design :)
They should have added usernames YEARS ago, but instead they go and remove SMS support in the client…
Use molly
My confidence in signal is greater than my confidence in a random fork. Privacy is hard… So I feel it’s better to trust something less than ideal, than to trust a random dude promising to solve all problems…
That’s just my threat model.
Also don’t get me wrong. Molly might be written by less experienced programmers. And if it was written from scratch, it could be very likely it would contain more vulnerabilities per 1000 lines of code than standard Signal app. But it’s mostly just it’s a hardened superset sans some nasty stuff. I’d compare that more to how Calyx or GrapheneOS are to plain AOSP than how some low maintenance random custom ROM from XDA with fuckton of bells and whistles that will leave your bootloader unlocked is.
Have you seen signal’s issue tracker? Ik it’s a big project, but it’s literally getting spammed, plus the desktop app that keeps database key in plaintext and won’t work natively under wayland (needs xwayland, making basic stuff like sending attachments hard if you use most tiling compositor, tho that’s partly Wayland’s design flaw of lacking consistent reference implementation). Also I principally don’t trust apps that rely on both proprietary network services and libraries. The very fact that they don’t leverage their funding to reduce their costs by working on support for federation that is not a matrix bridge (which hasn’t been even developed by them btw) or decentralization, especially since XMPP, SimpleX and Matrix (which has currently 3 well developed server implementations: Synapse, Dendrite and Conduit) have been able to do so with much smaller funding. And it’s Signal, not Molly’s maintainers who have been putting more effort into shiny UX improvements over hardening infrastructure code lately. And even if Signal does improve it’s security, the patches get regularly backported into Molly, whereas even such basic shit implemented solely in Molly, such as app passwords that actually encrypt it’s database is pretty useful. Because even PIN scrambling is not fully immune to shoulder surfing. Defense in deph matters.
tl;dr a longer rant about decentralization vs federation 👇
Even the argument of network effect achieved thanks to reliance on phone numbers is becoming less relevant these days, with DeltaChat providing a convenient way to have encrypted chats using the existing email infrastructure in much more convenient way than traditional PGP. Pixelfed has already achieved E2EE DMs and it’s being worked on for Mastodon. If the UI of the most popular apps and the official web interface are also redesigned to make messaging more convenient to use it might have the same positive effect on user retention as Facebook Messenger once had. Anyway things are bound to change in favor of federation, but not necessarily decentralization. For instance I got mixed feelings about EU’s DMA. I’m optimistic about the interoperability benefits it could bring, but even the official act doesn’t specify how it’ll be implemented. If it relies on something like WebFinger which does require a domain name it’ll end up just grouping a couple of major walled gardens together, so for example SimpleX, Session or Status users still might not be able to chat with people on centralized platforms
It’s easy to “stand on the shoulders of giants” and claim some software is better when you’re adding 1-5% of additional work on top of a fully developed service/app/infrastructure. It’s why generally forks of software tend to have more features than the original source - See the following examples where people polish something and release it as their own improved creation:
Now, I’m not trying to say people should stop forking software, I’m all for it as it breeds competition and innovation, but to complain that a software project is not meeting your specific demands and their forks are doing so much more means you’re not understanding the other projects would probably die without all the hard work that goes on in the core product.
You say this but do you have any evidence to back up the claim that it’s useful and to who? Who’s asking for it? What percentage of Signal users would enable the feature? Is it 1%. Is that worth it? There’s barely a demand for privacy from the general populace otherwise Signal would be a hit and everyone would leave Whatsapp immediately, but it isn’t.
You’re the 1% of the 1% when it comes to desktop configurations if you’re using a tiling window manager. I used one about 10 years ago and have yet to find one other person in the real world who has ever used one and I work in IT. Whether you like it or not, Signal developers are not going to spend any effort on making your very niche use case any better. I’m not saying that to be rude, but you have to be realistic. Your expectations are high for a free service that generally works for 99% of the population.
Well. I personally am very annoyed that i can’t choose a specific pin for signal. That means my kid can read my messages, because yes… Keeping password from a child is neigh impossible. But my pin for element, fairmail, telegram he don’t know.
So i get a lot of the criticism. For me personally, it’s still a matter of trust. A future malicious molly version might eavesdrop. Signal will probably not do so.
Encryption at rest on an unlocked phone is probably a hard problem. But if somebody is targeting me to that extent, i am probably toast anyways.
I try to create enough usage so that journalists and activists can hide in the mob, and i can hide from fang.
I use element, but do worry about the local server implementation and leak of metadata.
I see your point and don’t negate such possibility. Although the black box nature of proprietary dependencies in vanilla Signal means an inclusion of potential trojan spyware. Speaking of the need for app lock, as an alternative solution, you can create a separate profile for Signal to have a dedicated PIN. But afaik only GrapheneOS allows notification relaying to main profile. LineageOS on the other hand has a feature called AppLocker. If you intentionally lend your device to kids, Android has a feature called app pinning.
Its not a problem with the Android App.
I hate this.
So Signal does not protect against those that fill their contacts with every existing number?
But also, this does not explain why is it only happening in the desktop app for OP
Protect against what? People knowing you have Signal? Excuse me if it’s obvious to everyone else, but I’m struggling to understand the issue here.
Yes. That’s my main issue. Maybe you don’t need to understand the reasons why I think it’s an issue to understand it’s an issue to me?
I don’t need to understand that it’s an issue for you, but I want to understand why it’s an issue for you.
It confirms that your number is valid and in use.
I mean, ever heard of a phonebook?
You can check that in the phone app too. Hit new message, enter the numer, hit "New message to… " and it’ll tell you if it isn’t known. There is rate limiting in that function, you’d need a lot of signal accounts to sweep all phone numbers.
You could also try signing up to signal using the number you want to check.
Neither way however you would get the signal name or profile pic of the number if I understand it correctly, that would get sent if they reply to you.
The fact that the same issue is present on all platforms doesn’t make it any better for those who oppose the method.
It’s a necessary feature if you are using phone numbers. Signal has to tell you if your message has any chance of being received.
I don’t want to message someones number, to find out they never got my message and don’t have signal a few days later, and I don’t want to message them via whatsapp too, giving them a chance to use that when they have signal.
This is what the docs say.
https://support.signal.org/hc/en-us/articles/360007061452-Does-Signal-send-my-number-to-my-contacts-
deleted by creator
Im not getting spam. I never said that I get spam. But ok.
Noticed in one of your comments this is happening on Signal desktop. Is this a windows machine? Maybe update your post so people are aware it’s no on Android
I’ve been getting spam on signal. I wonder if this is how they got my number
Would make sense, the only thing the numbers OP talks about seem to have in common is that they are random and have a Signal-account.
Could it be that these are spam numbers that tried to reach you at some point but were blocked before they could?
am glad that https://simplex.chat doesn’t even need to touch sensitive personal data strong selectors such as phone numbers or email addresses!
Why is this being downvoted?
I think some people get lost and don’t realize that this is a privacy-centric community.
The mere potential for identifier leaking is 100% anti-privacy.
Also, Signal’s centralization, sussy shenanigans with mobilecoin and not updating their server app repo for over a year (latter they ceased afterwards iirc but still very detrimental to trust, especially since git reflog manipulation is ridiculously easy) and dependence on proprietary libraries and network services (in case of libraries there are thankfully at least a couple forks without such dependencies). Plus most of their servers that aren’t necessarily CDN being located in glowieland…
The huge red flag to me is that Signal is no longer decried as the devil of western intelligence anymore.
Frank Figliuzzi (former FBI cointel) and Chuck Rosenberg (former DEA admin) used to rail on about all of the dangers posed by Signal, but I haven’t heard an unkind word in over a couple years now.
French authorities consider it a “terrorist app”. Louis Rossmann made a video about it. It was in some court case but at this point I don’t remember whether it was a local court or higher and frankly don’t care enough to check.
Privacy aside, but just for a second - if we don’t hold ourselves to a higher standard, our standard will just be lower. That’s all that will happen.
We each make a choice according to our level of comfort in concern to privacy, or lack thereof, in how we choose to conduct ourselves afforded by the solutions we utilize and the rituals we observe.
Remember, privacy can never be enforced or guaranteed, only encouraged. Best practices, as available, as it were.
Agree, but I wasn’t talking about privacy.
I apologize, you were very clear about being outside of privacy. Forgive me, I’m having trouble separating its context in this regard.
I liken level of standard similar to personal reputation. At the end of the day, that’s all we have—we accept what we are willing to live with.
No worries, it seems like you understand perfectly - I was just reflecting on the downvotes above.
I like it here because the people often seem real, and the voting generally seems (to me, anyway) to follow more of a meritocratic pattern than whatever the fuck has been going on at the other place for the last ten or more years.
We should probably try to really understand these differences so we might get better at designing communities that are actually sustainable. Maybe I am just getting old - I’m tired of starting over, I’m tired of watching great communities self-destruct.
Likely because while simplex looks great and is very promising, it doesn’t add much to the conversation here. Signal is primarily a replacement for SMS/MMS, this means people generally would want their contacts readily available and discoverable to minimize the friction of securely messaging friends/family. Additionally it’s dangerous to be recommending a service that hasn’t been audited nor proven itself secure over time.
Edit: provided link to audit
awesome! I obviously haven’t been keeping up. thanks!
deleted by creator
Why would you send them to the Android repo instead of https://github.com/signalapp/Signal-Desktop?
I already made a bug report on Signal’s Website. Wouldn’t that be a duplicate.
Huge if true! You could conceivably submit your phone to a Cybersecurity company and share in any reward.
Help us with:
Who knows how to compute a hash for an installed mobile phone app? We need to compare it with legit.
https://imgur.com/a/a6CQSpA
The video proof. It also shows the OS and Steps to reproduce. How I obtained Signal: Flathub Signal Version: 6.38.0 OS Settings: Nothing relevant.
But that is not official signal app…
Tell me any other more offical way to optain Signal on fedora. Signal only provides .deb files. Flathub is my only option.
You may try this:
toolbox create --image quay.io/toolbx-images/debian-toolbox:12
toolbox enter debian-toolbox-12
Than follow Signal instructions. You will have it installed, launch with
signal-desktop
. So you enter debian toolbox and launch Signal from it, that is Fedora atomic way.I am not telling, that is 100% better, than Flathub version, but you may try just to see if problem is still there or not. Flathub version is also built from their debian file, it should be ok, but it also may contain some issues. If I would using Signal myself I would probably use Flathub, but if I had such issues I would definitly consider trying toolbox way.
Flathub. Opensuse has a repo but just use Flathub, Dependencies are a mess.
Oh you mean literally the source I said in the comment above.
Yup either official and through an Ubuntu/Debian container, or mess up your local system with the Opensuse Repo, or just use the Flatpak that just works
Yea so what I already do…
I advise you stop using Signal Desktop immediately, they keep the database key in plaintext. Exposed over 5 years ago and still not fixed. Frankly I find this pretty pathetic. Making this safer could be as simple as encrypting such files with something like age and perhaps regenerate the keys on a frequent basis (yes I know full disk encryption is somehow a viable solution against unwanted physical access. But instead, they’d rather focus on security by network effect by adding shiny UX features instead of fixing infrastructural stuff, like improving trust by decentralization, not requiring phone numbers to join, or adding support for app pasphrase (which is available in case of Molly, along with regular wiping of RAM data which makes things like cold boot or memory corruption attacks harder)
There is nothing more that I hate then typing on my Phone. I can’t life without Signal Desktop.
maybe try setting up a matrix bridge if you feel confident you can secure that properly. On one hand it might increase attack surface (use only servers and bridges with End to Bridge Encryption) but what’s an attack surface on software that is so ridiculously compromised. Also you can try using an alternative client such as Flare. Though YMMV, for me the last time I’ve used it it was quite rough around the edges but I’m happy to see it’s actively maintained so might be worth checking out.
Also no, flatpak doesn’t fix this issue. Yeah it provides some isolation which can be further improved with flatseal, and other defense-in-depth methods. But unless you are willing to face the trade-offs of using Qubes, you won’t compartmentalize your entire system. The key file in question is stored in
~/.local/share
. I’m not denying vulnerabilities in userland applications, but thanks to it’s wide reach, often massive codebases and use of unsafe languages like C, it’s the core system or networked software that is the most common attack vector. And that doesn’t ship and will never ship via flatpak.The most obvious way this is exploitable is directory traversal. But not only that. Just look up “Electron $VULNERABILITY”, be it CSRF, XSS or RCE. Sandbox escape is much easier with this crap than any major browser, since
contextIsolation
is often intentionally disabled to access nodejs primitives instead of electron’s safer replacements. Btw Signal Desktop is also an electron app.This is super helpful, I may post this to infosec.exchange. Flathub makes this so much more difficult to find the reason for what looks like a real breach. I don’t use Flathub for security reasons so I don’t know if you can even isolate the PID? Anyone know?
I don’t want you to have to spend a lot of time or troubleshoot over the web but if you see anything that stands out as “wow shouldn’t be there/running” when you run these commands come back to us:
ps
the PID of Signal or secondarily, Flathublsof -p PID
sudo strace -f -t -e trace=file -p PID
sysctl kernel.randomize_va_space
Wicked, thanks for sharing
Has anyone else been able to reproduce this? I just tried and was not able to.
OP, is it possible these people were in group chats you were part of?
Group chats very likely. There are often sync issues from mobile, so these may just be old spam or group chat numbers.
No, they are not. I’m in two groups. None of them are in the groups. I only use Signal for Real life friends from my Country. I never joined any random group. These people are from all over the world.
Interesting. Are there any other accounts on your phone that provide contacts? Maybe social media or other chat platforms? On Android you can see accounts in Settings > Passwords & Accounts (or somewhere similar; it varies a little between brands). You can also check inside your Contacts app by expanding the sidebar (again, varies by brand).
Just a thought. I don’t have any other contact providers on my phone so I can’t test it myself.
Please keep us posted if you get any official response or learn anything new!
Nope. And I maybe had to add (did it now) that this only appears to be a problem with Signal Desktop. My signal app on android doesn’t even show other contacts from strangers. I will update this if I get a response, of course.
I still don’t see any bug report anyone can follow up on… I cannot trust OP’s experience until that’s linked here.
The bug report forum from Signal doesn’t give you any link.
Wtf is happening in these comments
No clue.
What?
deleted by creator
Any chance these are phone numbers you entered yourself but accidentally added too many digits to?
56 different numbers from all over the world, and all of them are actually real and have signal? I doubt I accidentally do something like this haha :)
removed by mod
Did I miss where OP said they’re in France?
Kids need to reminded of Bush and his atrocities
replace bush by the USA and it’s pretty accurate
ever*
What
DID YOU CALL THE IRAQ NUMBER?
Yea, of course I just call some random number. I talked to them for a couple of hours. Really nice guy. We will meet tomorrow to chill at his place.
At least you read me this time… Give it to me I’ll call
0118 999 881 999 119 725 3
This comment is fire.
Great… Another loopy head
1-888-481-4913
Ok funny guy… do you have any neurons left… Reddit makes more sense then you… You could have at least gave a random 964 number
Call this number