signalapp / Signal-Android

A private messenger for Android.
https://signal.org
GNU Affero General Public License v3.0
25.64k stars 6.16k forks source link

Data Loss Following Unverified Account Transfer and Unintended Cross-Device Synchronization #13749

Open gab12 opened 2 weeks ago

gab12 commented 2 weeks ago

Guidelines

Bug description

Hello,

I followed a non-standard user path, and the problem is that I lost all my data. Here’s the use case: I wanted to transfer my "Signal" data from one device to another.

I had both devices, so I installed the app and began the transfer during setup. It worked very well. After the transfer, I had my data on both devices, which was perfect!

However, on the second device, in order to continue conversations, I was asked to verify the phone number linked to the account. That’s where the problems began, as I hadn’t renewed my phone line and therefore couldn’t receive the code.

So, I tried to work around the issue to continue using Signal. I entered another phone number of mine, hoping the code would be sent to the new line and unlock my access on the device.

Here’s what happened:

The code worked, but it didn’t give me access to the local Signal data on the device. Instead, it retrieved all the data linked to my new line, overwriting the transfer I had completed. Worse still, and what I consider a design flaw:

It also synchronized this new data on the original device, overwriting the original source of my data. Result: I now have three devices with data from my new phone line and have lost all my original data.

I believe that the data should never have been synced back to the original device and overwritten its contents without warning, especially since the second device had not completed verification of the code.

Screenshots

No response

Device

no name

Android version

Android 13

Signal version

7.20.2

Link to debug log

No response

greyson-signal commented 2 weeks ago

I'm having trouble following the series of events here. It sounds like there's actually three devices in play, which we can label A, B, and C.

Do all three devices have signal installed?

Instead, it retrieved all the data linked to my new line, overwriting the transfer I had completed.

Can you elaborate? The only data Signal can restore is your group memberships+contacts. We can't restore any message content, so I'm confused by what you mean when you say "overwriting".

It also synchronized this new data on the original device, overwriting the original source of my data.

Are you saying the data from C is now on A? What data? Did you register C's phone number on A? Did you do a device transfer? Again, Signal the service has no access to any message data and cannot arbitrarily restore data onto devices. All we can do is sync your contacts and group memberships, but only if the number is registered on that device.


Some general things to keep in mind: