signalapp / Signal-Android

A private messenger for Android.
https://signal.org
GNU Affero General Public License v3.0
25.71k stars 6.17k forks source link

Signal recipient noted seeing extra pictures that I didn't send #13765

Open impredicative opened 1 month ago

impredicative commented 1 month ago

Guidelines

Bug description

I sent five photos via Signal to someone. Signal then also sent this user three additional photos that I had deleted long ago, and are no longer even in my phone. The three extra photos had been fully deleted by me, and are not even in my Gallery app's Trash. Regardless, why was Signal even holding on to them, and why on earth did Signal send them on its own? The user said that eight photos were received, and that the three extra photos disappeared after a few seconds. The user described the three extra photos in detail, and could not have had this knowledge without actually seeing them. Moreover, these three photos were never ever even sent to anyone by me on Signal. It was a completely authorized transmission of historical data.

This is an extremely dangerous bug, and I believe that similar bugs have been reported before, e.g. #10247. Just what is going on? It's literally a disaster at every step, and is not security oriented at all; it is quite the opposite. Many things have to go wrong for this bug to manifest:

  1. Why is Signal even holding on to any pictures at all that aren't a part of the current user selection?
  2. Why is Signal holding on to deleted pictures that were deleted long ago? Moreover, they were never event sent to anyone via Signal.
  3. Why is Signal's cache so reckless and not security oriented at all?
  4. Why were the cached photos transmitted?

Screenshots

No response

Device

Samsung S24 Ultra

Android version

14

Signal version

not recorded before being updated

Link to debug log

cannot share due to privacy reasons

greyson-signal commented 4 weeks ago

Hi there. As described, I honestly do not believe that this series of events is possible. Specifically, Signal does not hold onto media that was never sent via Signal. We do not maintain any separate mirrored view of your gallery or anything that would allow us to somehow maintain access to media that was deleted from your device and never sent via Signal. The only media we have in our app storage is media that is sent/received via Signal.

It's extremely difficult to debug anything without being able to read a log. If you're concerned about sharing it too widely, you can email it to suppor@signal.org and include a link to this github issue. Although our logs usually only cover a few days, so by the time you get to it, it's possible the relevant events have fallen off already. Regardless, logs from your and your chat partner would be the first things we'd need to be able to investigate this further.

And then paired with that log, the timestamp of the message in question makes it much easier to navigate the logs and figure out what happened with that message specifically (the timestamp can be retrieved by long pressing the message > Info > Long press the sent time, which should copy it to your clipboard).

Some questions I have

(Also, regarding the linked issue, my comments in that issue explain this, but the bug resulted from a database ID re-use that was fixed 4 years ago and is no longer possible. And the most recent report was actually an instance of someone leaving the app open when they put their phone in their pocket.)

impredicative commented 4 weeks ago

Thank you for the response.

Signal does not hold onto media that was never sent via Signal.

Does Signal hold on to thumbnails in general? Does it hold on to media that were sent previously via Signal?

were all 8 images in a single message

Yes, in a single message, with all images grouped together. I don't know their ordering.

Are you absolutely 100% sure that these images were never sent or received via signal before?

No, I am not sure. If we assume they were sent before to the same user, does this help simplify what could happen? Why would the user see their thumbnails again in the current group in Signal?

The only way content is automatically deleted is either via an expiration timer, a "delete for everyone" action (which would leave a tombstone in the chat), or a delete sync from the user's linked device.

Is this also true of thumbnails in the group of images?

Based on you/your friends experiences, do any of those seem like possible explanations for the deletions?

It is only the thumbnails that concern me right now. I don't know if the stated reasons also apply to thumbnails. For what it's worth, all received photos were grouped together.

greyson-signal commented 3 weeks ago

Does Signal hold on to thumbnails in general? Does it hold on to media that were sent previously via Signal?

Signal doesn't explicitly generate thumbnails at this moment, rather we rely on glide to handle image caching. Yes, Signal maintains its own internal store of all media that currently exists in Signal conversations on the device. That means that if the media is deleted from the system gallery, Signal will still have it. But if it's deleted in Signal, Signal will no longer have it.

If we assume they were sent before to the same user, does this help simplify what could happen? Why would the user see their thumbnails again in the current group in Signal?

It mostly brings the bug into the actual realm of possibility. If you were 100% sure that the media was never sent in Signal and is not on your device at all, I would say that your friend must be mistaken as to what happened. But if the media was previously sent, I could at least then imagine that something may have actually happened :)

The weirdest part about all of this is the sudden deletion on the recipient's side. If I understand correctly, your device simply shows the 5 intended images in the message you sent, and the receiver's device now matches that. But for some moment the receiver saw extra photos in the message.

I personally do not know of any mechanism that would cause some subset of media to disappear independently of the rest of the message, if the media were legitimately received as part of the message you sent. It makes me more inclined to think that there could have been some strange caching issue when rendering the message bubble. Mind you, I have never heard of a caching issue like that existing, but I suppose it's possible if somehow some wire got crossed, some cache key collision, etc.

But it's worth mentioning that you can only see at most 5 images at once in a message bubble. More than that, and you have to tap the bubble to expand it into the fullscreen media viewer, at which point you can scroll through all of the images.

Do you know if your friend actually scrolled through 8 full sized images? If so, then it couldn't have been a caching issue.

impredicative commented 3 weeks ago

you can scroll through all of the images.

The user confirmed today that the extra images were briefly visible in this scroller. These extra images had been previously sent to the user, and were now unintentionally repeated here. I didn't even have these extra images on my sending device anymore, so it's impossible for me to have willfully resent them.

Do you know if your friend actually scrolled through 8 full sized images?

Standby. I will update.