Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
much thanks to @gary_host_laptop for the logo design :)
When I press on some message to forward it, it shows me Random usernames of contacts I don't know. And it even shows some Mobile Numbers I don't know. For example, one number starts with +964 that's Iraq. I'm from Europe tho. These contacts and numbers are from all over the place.
Edit: This only happens on Signal Desktop. If I try to forward a message on Android it only shows my Contacts. And none of these unkown ones.
I just counted. Signal leaked 56 random people to me.
Has anyone else been able to reproduce this? I just tried and was not able to.
OP, is it possible these people were in group chats you were part of?
No, they are not. I'm in two groups. None of them are in the groups. I only use Signal for Real life friends from my Country. I never joined any random group. These people are from all over the world.
Interesting. Are there any other accounts on your phone that provide contacts? Maybe social media or other chat platforms? On Android you can see accounts in Settings > Passwords & Accounts (or somewhere similar; it varies a little between brands). You can also check inside your Contacts app by expanding the sidebar (again, varies by brand).
Just a thought. I don't have any other contact providers on my phone so I can't test it myself.
Please keep us posted if you get any official response or learn anything new!
Nope. And I maybe had to add (did it now) that this only appears to be a problem with Signal Desktop. My signal app on android doesn't even show other contacts from strangers. I will update this if I get a response, of course.
Group chats very likely. There are often sync issues from mobile, so these may just be old spam or group chat numbers.
They should have added usernames YEARS ago, but instead they go and remove SMS support in the client...
Why did someone see that I joined Signal? People who already know your number and already have you in their contacts see that they can contact you on Signal. Nothing is sent to them by your Signal app or the Signal service. They just see a number they know is registered. If someone knows how to send you an insecure SMS, we want them to see that they can send you a Signal message instead.
Why did I see that my contact joined Signal? You are notified when someone that is stored in your contact list is a new Signal user. If you can send an insecure SMS to a contact, we want you to know you can send a Signal message instead.
I hate this.
So Signal does not protect against those that fill their contacts with every existing number?
But also, this does not explain why is it only happening in the desktop app for OP
Protect against what? People knowing you have Signal? Excuse me if it's obvious to everyone else, but I'm struggling to understand the issue here.
It confirms that your number is valid and in use.
You can check that in the phone app too. Hit new message, enter the numer, hit "New message to... " and it'll tell you if it isn't known. There is rate limiting in that function, you'd need a lot of signal accounts to sweep all phone numbers.
You could also try signing up to signal using the number you want to check.
Neither way however you would get the signal name or profile pic of the number if I understand it correctly, that would get sent if they reply to you.
am glad that https://simplex.chat doesn't even need to touch sensitive personal data strong selectors such as phone numbers or email addresses!
Why is this being downvoted?
Likely because while simplex looks great and is very promising, it doesn't add much to the conversation here. Signal is primarily a replacement for SMS/MMS, this means people generally would want their contacts readily available and discoverable to minimize the friction of securely messaging friends/family. Additionally it's dangerous to be recommending a service that hasn't been audited nor proven itself secure over time.
Could it be that these are spam numbers that tried to reach you at some point but were blocked before they could?
I've been getting spam on signal. I wonder if this is how they got my number
Use molly
My confidence in signal is greater than my confidence in a random fork. Privacy is hard... So I feel it's better to trust something less than ideal, than to trust a random dude promising to solve all problems...
That's just my threat model.
Also don't get me wrong. Molly might be written by less experienced programmers. And if it was written from scratch, it could be very likely it would contain more vulnerabilities per 1000 lines of code than standard Signal app. But it's mostly just it's a hardened superset sans some nasty stuff. I'd compare that more to how Calyx or GrapheneOS are to plain AOSP than how some low maintenance random custom ROM from XDA with fuckton of bells and whistles that will leave your bootloader unlocked is.
Its not a problem with the Android App.
Noticed in one of your comments this is happening on Signal desktop. Is this a windows machine? Maybe update your post so people are aware it's no on Android
deleted
56 different numbers from all over the world, and all of them are actually real and have signal? I doubt I accidentally do something like this haha :)
This is what the docs say.
https://support.signal.org/hc/en-us/articles/360007061452-Does-Signal-send-my-number-to-my-contacts-