When I press on some message to forward it, it shows me Random usernames of contacts I don’t know. And it even shows some Mobile Numbers I don’t know. For example, one number starts with +964 that’s Iraq. I’m from Europe tho. These contacts and numbers are from all over the place.
Edit: This only happens on Signal Desktop. If I try to forward a message on Android it only shows my Contacts. And none of these unkown ones.
I just counted. Signal leaked 56 random people to me.
I don’t think it’s the same user, but here’s a report on GitHub with same repro
Wtf is happening in these comments
Has anyone else been able to reproduce this? I just tried and was not able to.
OP, is it possible these people were in group chats you were part of?
I still don’t see any bug report anyone can follow up on… I cannot trust OP’s experience until that’s linked here.
No, they are not. I’m in two groups. None of them are in the groups. I only use Signal for Real life friends from my Country. I never joined any random group. These people are from all over the world.
Interesting. Are there any other accounts on your phone that provide contacts? Maybe social media or other chat platforms? On Android you can see accounts in Settings > Passwords & Accounts (or somewhere similar; it varies a little between brands). You can also check inside your Contacts app by expanding the sidebar (again, varies by brand).
Just a thought. I don’t have any other contact providers on my phone so I can’t test it myself.
Please keep us posted if you get any official response or learn anything new!
Huge if true! You could conceivably submit your phone to a Cybersecurity company and share in any reward.
Help us with:
- Your OS Version
- OS settings that are possibly related
- How you obtained Signal
- Signal version
- Video proof
- Steps to reproduce
Who knows how to compute a hash for an installed mobile phone app? We need to compare it with legit.
The video proof. It also shows the OS and Steps to reproduce. How I obtained Signal: Flathub Signal Version: 6.38.0 OS Settings: Nothing relevant.
I advise you stop using Signal Desktop immediately, they keep the database key in plaintext. Exposed over 5 years ago and still not fixed. Frankly I find this pretty pathetic. Making this safer could be as simple as encrypting such files with something like age and perhaps regenerate the keys on a frequent basis (yes I know full disk encryption is somehow a viable solution against unwanted physical access. But instead, they’d rather focus on security by network effect by adding shiny UX features instead of fixing infrastructural stuff, like improving trust by decentralization, not requiring phone numbers to join, or adding support for app pasphrase (which is available in case of Molly, along with regular wiping of RAM data which makes things like cold boot or memory corruption attacks harder)
