When I press on some message to forward it, it shows me Random usernames of contacts I don’t know. And it even shows some Mobile Numbers I don’t know. For example, one number starts with +964 that’s Iraq. I’m from Europe tho. These contacts and numbers are from all over the place.

Edit: This only happens on Signal Desktop. If I try to forward a message on Android it only shows my Contacts. And none of these unkown ones.

  • Elias GriffinEnglish
    41 year ago

    Huge if true! You could conceivably submit your phone to a Cybersecurity company and share in any reward.

    Help us with:

    • Your OS Version
    • OS settings that are possibly related
    • How you obtained Signal
    • Signal version
    • Video proof
    • Steps to reproduce

    Who knows how to compute a hash for an installed mobile phone app? We need to compare it with legit.

      • Elias GriffinEnglish
        11 year ago

        This is super helpful, I may post this to infosec.exchange. Flathub makes this so much more difficult to find the reason for what looks like a real breach. I don’t use Flathub for security reasons so I don’t know if you can even isolate the PID? Anyone know?

        I don’t want you to have to spend a lot of time or troubleshoot over the web but if you see anything that stands out as “wow shouldn’t be there/running” when you run these commands come back to us:

        1. ps the PID of Signal or secondarily, Flathub
        2. lsof -p PID
        3. strace
          • sudo strace -f -t -e trace=file -p PID
        4. sysctl kernel.randomize_va_space
          • pkill/killall Flathub/Signal and restart FH/Signal and see if it still presents the vulnerability
      • anti-idpol action
        01 year ago

        I advise you stop using Signal Desktop immediately, they keep the database key in plaintext. Exposed over 5 years ago and still not fixed. Frankly I find this pretty pathetic. Making this safer could be as simple as encrypting such files with something like age and perhaps regenerate the keys on a frequent basis (yes I know full disk encryption is somehow a viable solution against unwanted physical access. But instead, they’d rather focus on security by network effect by adding shiny UX features instead of fixing infrastructural stuff, like improving trust by decentralization, not requiring phone numbers to join, or adding support for app pasphrase (which is available in case of Molly, along with regular wiping of RAM data which makes things like cold boot or memory corruption attacks harder)

        • InstantnudelnOP
          11 year ago

          There is nothing more that I hate then typing on my Phone. I can’t life without Signal Desktop.