AsamK / signal-cli

signal-cli provides an unofficial commandline, JSON-RPC and dbus interface for the Signal messenger.
GNU General Public License v3.0
3.24k stars 309 forks source link

Attempting to register a number that is protected by a PIN deregisters it #1417

Closed marsavar closed 10 months ago

marsavar commented 10 months ago

I am running signal-cli (latest version, 0.12.7) on two separate machines.

On machine 1, I have successfully used the setPin command.

To verify that machine 2 can't arbitrarily re-register the same phone number, I tried to run the register and verify commands on machine 2, using the same account number that machine 1 is associated with (note that I used a real verification code [^1]) As expected, this correctly failed with the following error:

Picked up JAVA_TOOL_OPTIONS: -javaagent:/usr/local/log4j-hotpatch/Log4jHotPatch.jar=log4jFixerVerbose=false
Verification failed! This number is locked with a pin. Hours remaining until reset: 149
Use '--pin PIN_CODE' to specify the registration lock PIN

However, after running this command on machine 2, I was no longer able to run any signal-cli commands on machine 1, as it appears that the number became deregistered.

./signal-cli --verbose -a <REDACTED> send -m "hi" <REDACTED>
Picked up JAVA_TOOL_OPTIONS: -javaagent:/usr/local/log4j-hotpatch/Log4jHotPatch.jar=log4jFixerVerbose=false
2024-01-15T20:29:47.060Z [main] DEBUG org.asamk.signal.App - Starting signal-cli 0.12.7
2024-01-15T20:29:47.340Z [main] INFO  LibSignal - [libsignal]: rust/bridge/jni/src/logging.rs:158: Initializing libsignal version:0.36.1
2024-01-15T20:29:47.341Z [main] DEBUG org.asamk.signal.util.IOUtils - XDG_DATA_HOME not set, falling back to home dir
User <REDACTED> is not registered.

Is this behaviour intended?

My assumption was that having a PIN would help prevent SIM swap attacks, and the orignal number shouldn't be deregistered.

Thanks for your help.

[^1]: I have attempted to replicate the issue with a made-up verification code but I am currently being rate-limited by the Signal API.

AsamK commented 10 months ago

I think this is expected behavior, to prevent someone who switched phone number from blocking the new owner of the phone number to use Signal. The registration attempt was with the real verification code, which means the one registering had access to the phone number.