this post was submitted on 26 Nov 2023
299 points (95.4% liked)

Privacy

32109 readers
700 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

When I press on some message to forward it, it shows me Random usernames of contacts I don't know. And it even shows some Mobile Numbers I don't know. For example, one number starts with +964 that's Iraq. I'm from Europe tho. These contacts and numbers are from all over the place.

Edit: This only happens on Signal Desktop. If I try to forward a message on Android it only shows my Contacts. And none of these unkown ones.

you are viewing a single comment's thread
view the rest of the comments
[–] pkill@programming.dev 2 points 1 year ago

maybe try setting up a matrix bridge if you feel confident you can secure that properly. On one hand it might increase attack surface (use only servers and bridges with End to Bridge Encryption) but what's an attack surface on software that is so ridiculously compromised. Also you can try using an alternative client such as Flare. Though YMMV, for me the last time I've used it it was quite rough around the edges but I'm happy to see it's actively maintained so might be worth checking out.

Also no, flatpak doesn't fix this issue. Yeah it provides some isolation which can be further improved with flatseal, and other defense-in-depth methods. But unless you are willing to face the trade-offs of using Qubes, you won't compartmentalize your entire system. The key file in question is stored in ~/.local/share. I'm not denying vulnerabilities in userland applications, but thanks to it's wide reach, often massive codebases and use of unsafe languages like C, it's the core system or networked software that is the most common attack vector. And that doesn't ship and will never ship via flatpak.

The most obvious way this is exploitable is directory traversal. But not only that. Just look up "Electron $VULNERABILITY", be it CSRF, XSS or RCE. Sandbox escape is much easier with this crap than any major browser, since contextIsolation is often intentionally disabled to access nodejs primitives instead of electron's safer replacements. Btw Signal Desktop is also an electron app.