When I press on some message to forward it, it shows me Random usernames of contacts I don’t know. And it even shows some Mobile Numbers I don’t know. For example, one number starts with +964 that’s Iraq. I’m from Europe tho. These contacts and numbers are from all over the place.

Edit: This only happens on Signal Desktop. If I try to forward a message on Android it only shows my Contacts. And none of these unkown ones.

          • Instantnudeln@feddit.deOP
            1·
            10 months ago

            This is a totally different thing, and I also don’t get what the problem of this user is. He wants to share a picture and then just like on android the list of your recent chats opens where of course the pofilepic shows to know where you want to send it to, and he somehow doesn’t want the profile pic to be there even tho this is totally normal behavior from android and iOS since… always? Or do I misunderstand his problem because I don’t use iOS? Well the most important part, it doesn’t sound like my problem at all.

            • Elias Griffin@lemmy.worldEnglish
              0·
              10 months ago

              What that user is describing is very serious. They are saying iOS can reach into Signal and extract data.

              • folkrav@lemmy.ca
                1·
                10 months ago

                The user is describing iOS’ share sheet, which Signal seems to advertise as a feature. The OS isn’t reaching in and grabbing data, Signal is providing data to the OS.

                Also note that said user signaled this on the Signal-Android repo, which combined with their inability to find this info, when i don’t even own an iOS device, makes me think they aren’t the most observant user out there.

  • hersh@literature.cafe
    41·
    10 months ago

    Has anyone else been able to reproduce this? I just tried and was not able to.

    OP, is it possible these people were in group chats you were part of?

    • aodhsishaj@lemmy.world
      141·
      10 months ago

      I still don’t see any bug report anyone can follow up on… I cannot trust OP’s experience until that’s linked here.

    • Instantnudeln@feddit.deOP
      10·
      10 months ago

      No, they are not. I’m in two groups. None of them are in the groups. I only use Signal for Real life friends from my Country. I never joined any random group. These people are from all over the world.

      • hersh@literature.cafe
        4·
        10 months ago

        Interesting. Are there any other accounts on your phone that provide contacts? Maybe social media or other chat platforms? On Android you can see accounts in Settings > Passwords & Accounts (or somewhere similar; it varies a little between brands). You can also check inside your Contacts app by expanding the sidebar (again, varies by brand).

        Just a thought. I don’t have any other contact providers on my phone so I can’t test it myself.

        Please keep us posted if you get any official response or learn anything new!

        • Instantnudeln@feddit.deOP
          6·
          10 months ago

          Nope. And I maybe had to add (did it now) that this only appears to be a problem with Signal Desktop. My signal app on android doesn’t even show other contacts from strangers. I will update this if I get a response, of course.

    • Pantherina@feddit.de
      4·
      10 months ago

      Group chats very likely. There are often sync issues from mobile, so these may just be old spam or group chat numbers.

  • Atemu@lemmy.ml
    33·
    10 months ago

    Could it be that these are spam numbers that tried to reach you at some point but were blocked before they could?

  • T (they/she)@beehaw.org
    232·
    10 months ago

    Why did someone see that I joined Signal? People who already know your number and already have you in their contacts see that they can contact you on Signal. Nothing is sent to them by your Signal app or the Signal service. They just see a number they know is registered. If someone knows how to send you an insecure SMS, we want them to see that they can send you a Signal message instead.

    Why did I see that my contact joined Signal? You are notified when someone that is stored in your contact list is a new Signal user. If you can send an insecure SMS to a contact, we want you to know you can send a Signal message instead.

    I hate this.

  • Elias Griffin@lemmy.worldEnglish
    18·
    10 months ago

    Huge if true! You could conceivably submit your phone to a Cybersecurity company and share in any reward.

    Help us with:

    • Your OS Version
    • OS settings that are possibly related
    • How you obtained Signal
    • Signal version
    • Video proof
    • Steps to reproduce

    Who knows how to compute a hash for an installed mobile phone app? We need to compare it with legit.

      • anti-idpol action@programming.dev
        52·
        10 months ago

        I advise you stop using Signal Desktop immediately, they keep the database key in plaintext. Exposed over 5 years ago and still not fixed. Frankly I find this pretty pathetic. Making this safer could be as simple as encrypting such files with something like age and perhaps regenerate the keys on a frequent basis (yes I know full disk encryption is somehow a viable solution against unwanted physical access. But instead, they’d rather focus on security by network effect by adding shiny UX features instead of fixing infrastructural stuff, like improving trust by decentralization, not requiring phone numbers to join, or adding support for app pasphrase (which is available in case of Molly, along with regular wiping of RAM data which makes things like cold boot or memory corruption attacks harder)

          • anti-idpol action@programming.dev
            2·
            10 months ago

            maybe try setting up a matrix bridge if you feel confident you can secure that properly. On one hand it might increase attack surface (use only servers and bridges with End to Bridge Encryption) but what’s an attack surface on software that is so ridiculously compromised. Also you can try using an alternative client such as Flare. Though YMMV, for me the last time I’ve used it it was quite rough around the edges but I’m happy to see it’s actively maintained so might be worth checking out.

            Also no, flatpak doesn’t fix this issue. Yeah it provides some isolation which can be further improved with flatseal, and other defense-in-depth methods. But unless you are willing to face the trade-offs of using Qubes, you won’t compartmentalize your entire system. The key file in question is stored in ~/.local/share. I’m not denying vulnerabilities in userland applications, but thanks to it’s wide reach, often massive codebases and use of unsafe languages like C, it’s the core system or networked software that is the most common attack vector. And that doesn’t ship and will never ship via flatpak.

            The most obvious way this is exploitable is directory traversal. But not only that. Just look up “Electron $VULNERABILITY”, be it CSRF, XSS or RCE. Sandbox escape is much easier with this crap than any major browser, since contextIsolation is often intentionally disabled to access nodejs primitives instead of electron’s safer replacements. Btw Signal Desktop is also an electron app.

      • Elias Griffin@lemmy.worldEnglish
        54·
        10 months ago

        This is super helpful, I may post this to infosec.exchange. Flathub makes this so much more difficult to find the reason for what looks like a real breach. I don’t use Flathub for security reasons so I don’t know if you can even isolate the PID? Anyone know?

        I don’t want you to have to spend a lot of time or troubleshoot over the web but if you see anything that stands out as “wow shouldn’t be there/running” when you run these commands come back to us:

        1. ps the PID of Signal or secondarily, Flathub
        2. lsof -p PID
        3. strace
          • sudo strace -f -t -e trace=file -p PID
        4. sysctl kernel.randomize_va_space
          • pkill/killall Flathub/Signal and restart FH/Signal and see if it still presents the vulnerability
  • BearOfaTime@lemm.ee
    111·
    10 months ago

    Noticed in one of your comments this is happening on Signal desktop. Is this a windows machine? Maybe update your post so people are aware it’s no on Android

    • Instantnudeln@feddit.deOP
      24·
      10 months ago

      56 different numbers from all over the world, and all of them are actually real and have signal? I doubt I accidentally do something like this haha :)

    • Ohh@lemmy.ml
      18·
      10 months ago

      My confidence in signal is greater than my confidence in a random fork. Privacy is hard… So I feel it’s better to trust something less than ideal, than to trust a random dude promising to solve all problems…

      That’s just my threat model.

      • anti-idpol action@programming.dev
        4·
        10 months ago

        Also don’t get me wrong. Molly might be written by less experienced programmers. And if it was written from scratch, it could be very likely it would contain more vulnerabilities per 1000 lines of code than standard Signal app. But it’s mostly just it’s a hardened superset sans some nasty stuff. I’d compare that more to how Calyx or GrapheneOS are to plain AOSP than how some low maintenance random custom ROM from XDA with fuckton of bells and whistles that will leave your bootloader unlocked is.

      • anti-idpol action@programming.dev
        11·
        10 months ago

        Have you seen signal’s issue tracker? Ik it’s a big project, but it’s literally getting spammed, plus the desktop app that keeps database key in plaintext and won’t work natively under wayland (needs xwayland, making basic stuff like sending attachments hard if you use most tiling compositor, tho that’s partly Wayland’s design flaw of lacking consistent reference implementation). Also I principally don’t trust apps that rely on both proprietary network services and libraries. The very fact that they don’t leverage their funding to reduce their costs by working on support for federation that is not a matrix bridge (which hasn’t been even developed by them btw) or decentralization, especially since XMPP, SimpleX and Matrix (which has currently 3 well developed server implementations: Synapse, Dendrite and Conduit) have been able to do so with much smaller funding. And it’s Signal, not Molly’s maintainers who have been putting more effort into shiny UX improvements over hardening infrastructure code lately. And even if Signal does improve it’s security, the patches get regularly backported into Molly, whereas even such basic shit implemented solely in Molly, such as app passwords that actually encrypt it’s database is pretty useful. Because even PIN scrambling is not fully immune to shoulder surfing. Defense in deph matters.

        tl;dr a longer rant about decentralization vs federation 👇

        Even the argument of network effect achieved thanks to reliance on phone numbers is becoming less relevant these days, with DeltaChat providing a convenient way to have encrypted chats using the existing email infrastructure in much more convenient way than traditional PGP. Pixelfed has already achieved E2EE DMs and it’s being worked on for Mastodon. If the UI of the most popular apps and the official web interface are also redesigned to make messaging more convenient to use it might have the same positive effect on user retention as Facebook Messenger once had. Anyway things are bound to change in favor of federation, but not necessarily decentralization. For instance I got mixed feelings about EU’s DMA. I’m optimistic about the interoperability benefits it could bring, but even the official act doesn’t specify how it’ll be implemented. If it relies on something like WebFinger which does require a domain name it’ll end up just grouping a couple of major walled gardens together, so for example SimpleX, Session or Status users still might not be able to chat with people on centralized platforms

        • Ohh@lemmy.ml
          31·
          10 months ago

          Well. I personally am very annoyed that i can’t choose a specific pin for signal. That means my kid can read my messages, because yes… Keeping password from a child is neigh impossible. But my pin for element, fairmail, telegram he don’t know.

          So i get a lot of the criticism. For me personally, it’s still a matter of trust. A future malicious molly version might eavesdrop. Signal will probably not do so.

          Encryption at rest on an unlocked phone is probably a hard problem. But if somebody is targeting me to that extent, i am probably toast anyways.

          I try to create enough usage so that journalists and activists can hide in the mob, and i can hide from fang.

          I use element, but do worry about the local server implementation and leak of metadata.

          • anti-idpol action@programming.dev
            1·
            10 months ago

            I see your point and don’t negate such possibility. Although the black box nature of proprietary dependencies in vanilla Signal means an inclusion of potential trojan spyware. Speaking of the need for app lock, as an alternative solution, you can create a separate profile for Signal to have a dedicated PIN. But afaik only GrapheneOS allows notification relaying to main profile. LineageOS on the other hand has a feature called AppLocker. If you intentionally lend your device to kids, Android has a feature called app pinning.

  • auth@lemmy.ml
    571·
    10 months ago

    You are now on a terrorist list… Maybe you can’t even fly… Lol… Can you say weapons of mass destruction?

    Did you call that Iraq number?

    People have no humor here…