Signal leaked random contacts to me!

link to report so we can track? thanks!

The bug report forum from Signal doesn't give you any link.

Interesting. Are there any other accounts on your phone that provide contacts? Maybe social media or other chat platforms? On Android you can see accounts in Settings > Passwords & Accounts (or somewhere similar; it varies a little between brands). You can also check inside your Contacts app by expanding the sidebar (again, varies by brand).

Just a thought. I don't have any other contact providers on my phone so I can't test it myself.

Please keep us posted if you get any official response or learn anything new!

Protect against what? People knowing you have Signal? Excuse me if it's obvious to everyone else, but I'm struggling to understand the issue here.

I advise you stop using Signal Desktop immediately, they keep the database key in plaintext. Exposed over 5 years ago and still not fixed. Frankly I find this pretty pathetic. Making this safer could be as simple as encrypting such files with something like age and perhaps regenerate the keys on a frequent basis (yes I know full disk encryption is somehow a viable solution against unwanted physical access. But instead, they'd rather focus on security by network effect by adding shiny UX features instead of fixing infrastructural stuff, like improving trust by decentralization, not requiring phone numbers to join, or adding support for app pasphrase (which is available in case of Molly, along with regular wiping of RAM data which makes things like cold boot or memory corruption attacks harder)

Wicked, thanks for sharing

This is super helpful, I may post this to infosec.exchange. Flathub makes this so much more difficult to find the reason for what looks like a real breach. I don't use Flathub for security reasons so I don't know if you can even isolate the PID? Anyone know?

I don't want you to have to spend a lot of time or troubleshoot over the web but if you see anything that stands out as "wow shouldn't be there/running" when you run these commands come back to us:

1. ps the PID of Signal or secondarily, Flathub
2. lsof -p PID
3. strace
   • sudo strace -f -t -e trace=file -p PID
4. sysctl kernel.randomize_va_space
   • pkill/killall Flathub/Signal and restart FH/Signal and see if it still presents the vulnerability

But that is not official signal app..

What?

Also don't get me wrong. Molly might be written by less experienced programmers. And if it was written from scratch, it could be very likely it would contain more vulnerabilities per 1000 lines of code than standard Signal app. But it's mostly just it's a hardened superset sans some nasty stuff. I'd compare that more to how Calyx or GrapheneOS are to plain AOSP than how some low maintenance random custom ROM from XDA with fuckton of bells and whistles that will leave your bootloader unlocked is.

Have you seen signal's issue tracker? Ik it's a big project, but it's literally getting spammed, plus the desktop app that keeps database key in plaintext and won't work natively under wayland (needs xwayland, making basic stuff like sending attachments hard if you use most tiling compositor, tho that's partly Wayland's design flaw of lacking consistent reference implementation). Also I principally don't trust apps that rely on both proprietary network services and libraries. The very fact that they don't leverage their funding to reduce their costs by working on support for federation that is not a matrix bridge (which hasn't been even developed by them btw) or decentralization, especially since XMPP, SimpleX and Matrix (which has currently 3 well developed server implementations: Synapse, Dendrite and Conduit) have been able to do so with much smaller funding. And it's Signal, not Molly's maintainers who have been putting more effort into shiny UX improvements over hardening infrastructure code lately. And even if Signal does improve it's security, the patches get regularly backported into Molly, whereas even such basic shit implemented solely in Molly, such as app passwords that actually encrypt it's database is pretty useful. Because even PIN scrambling is not fully immune to shoulder surfing. Defense in deph matters.

tl;dr a longer rant about decentralization vs federation 👇

Even the argument of network effect achieved thanks to reliance on phone numbers is becoming less relevant these days, with DeltaChat providing a convenient way to have encrypted chats using the existing email infrastructure in much more convenient way than traditional PGP. Pixelfed has already achieved E2EE DMs and it's being worked on for Mastodon. If the UI of the most popular apps and the official web interface are also redesigned to make messaging more convenient to use it might have the same positive effect on user retention as Facebook Messenger once had. Anyway things are bound to change in favor of federation, but not necessarily decentralization. For instance I got mixed feelings about EU's DMA. I'm optimistic about the interoperability benefits it could bring, but even the official act doesn't specify how it'll be implemented. If it relies on something like WebFinger which does require a domain name it'll end up just grouping a couple of major walled gardens together, so for example SimpleX, Session or Status users still might not be able to chat with people on centralized platforms

I think some people get lost and don't realize that this is a privacy-centric community.

The mere potential for identifier leaking is 100% anti-privacy.

Likely because while simplex looks great and is very promising, it doesn't add much to the conversation here. Signal is primarily a replacement for SMS/MMS, this means people generally would want their contacts readily available and discoverable to minimize the friction of securely messaging friends/family. Additionally it's dangerous to be recommending a service that hasn't been audited nor proven itself secure over time.

ever*

Kids need to reminded of Bush and his atrocities

DID YOU CALL THE IRAQ NUMBER?