search

oxen-io / session-desktop

Session Desktop - Onion routing based messenger
https://getsession.org
GNU General Public License v3.0
1.44k stars 186 forks source link

[BUG] win11 conversations leaking into google search #3103

Closed jnorthrup closed 1 month ago

jnorthrup commented 1 month ago

Code of conduct

Self-training on how to write a bug report

Is there an existing issue for this?

Current Behavior

we write ze konverzsachon und ve zee ze zocialization of our konverzunfroogen!

image [...] profit! image

Expected Behavior

no monetized session conversations.

Steps To Reproduce

No response

Desktop Version

No response

Anything else?

No response

KeeJef commented 1 month ago

Sorry, i don't understand the issue which is being reported here? can you please provide a more detailed written explanation of the issue in English.

jnorthrup commented 1 month ago

Im reporting a sniffer that picked up on my session conversation and presented my exact mention back on youtube front page, using windows 11 brave browser.

The mention of Eddie Van Halen is absolutely one of a kind for me in years. similarly i have no bookmarks or history containing van halen or Eddie Van Halen

I have some theories, none of them involve google being informed knowingly about an Eddie Van Halen mention.

I will keep an eye out for the situation recurring in other contexts, but i do hope it helps to report this.

KeeJef commented 1 month ago

Okay, there isn't anything in the Session app which communicates any of the messages you type or send to any third party, so hard to see how this would occur.

keybreak commented 1 month ago

No wonder. The Idea of using secure / private messenger on Spyware OS full of keyloggers and AI (both Win / Mac) - nullifies the concept of any secure and private messenger - there's nothing you can do about it except stop using the OS.

In order to prevent it - all Session can do is stop wasting resources and energy on Windows / Mac builds and restrict them...which is not optimal, but at least it's one way to make sure no single side of a conversation will be compromised.

As things are now, i myself have to explicitly ask and trust people that i talk with to never use Session on Win / Mac / iOS....and on Android that at least they have FOSS keyboard installed, and it doesn't connect to the internet.

jnorthrup commented 1 month ago

there's this isn't a fort knox installation luckily i have some wiggle room before i get overwhelmed with zombies and have to reinstall.

first things I feel should be checked is to find adhesions like opt-ins. im suspect that the opting in of windows preview features does indeed give a preview to them. there are other dll's that can be dated to the incident and checked for recent installs. this isn't normally a thing i spend time on and aside from well meaning recceomndations of hygeine, this isn't a call for that, but I'm agreeable to simple suggestions that others may know of to come up with a/b discriminators to nail down the ingress and egress points of some tokens.

keybreak commented 1 month ago

It's impossible to "fix" Windows by flipping options, changing registry or even pirate-build iso with supposedly cut off stuff. It will be re-surfaced on next update, you don't control Windows.

Just use Linux, and be aware that if someone you're talking with on Session uses Win / Mac / iOS / Android (with default keyboard) - your conversations with such person can and will be compromised by their OS.

jnorthrup commented 1 month ago

yeah that's really good advice for personal hygiene. on that note a discussion of tools to trap library calls and ida pro scripts are interesting too. like wireshark for dll's.

On Wed, May 15, 2024 at 6:05 AM keybreak @.***> wrote:

It's impossible to "fix" Windows by flipping options, changing registry or even pirate-build iso with supposedly cut off stuff. It will be re-surfaced on next update, you don't control Windows.

Just use Linux, and be aware that if someone you're talking with on Session uses Win / Mac / iOS / Android (with default keyboard) - your conversations with such person can and will be compromised by their OS.

— Reply to this email directly, view it on GitHub https://github.com/oxen-io/session-desktop/issues/3103#issuecomment-2112093734, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAR6KQN6WR2BZI2PEOYZJTZCMXNZAVCNFSM6AAAAABHTM7IVCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJSGA4TGNZTGQ . You are receiving this because you authored the thread.Message ID: @.***>

KeeJef commented 1 month ago

Closing this for now, as its not really something that is in scope for Session to tackle

jnorthrup commented 1 month ago

which authors put thier name on some kind of security in the client or the dev tools? "saying windowz is insecure dont use it" is a cop-out. @KeeJef

the distinct lack of any discussion about actual security here is pretty concerning on the viability of even using this client on the majority desktop platform. we don't simply pass plain text and blame the sniffers for showing it