Closed Janila closed 6 years ago
Janila
commented
6 years ago Additional information:
Janila
commented
6 years ago Okay, I thought that since I deleted my laptop under "linked devices" I can no longer send messges from the new signal desktop app, but I CAN. These messages appear to other people to be coming from A, and everytime I send such a message she gets another "Incorrectly encrypted message" from her own number
not-nadim
commented
6 years ago @Janila It would be interesting to look into your Signal-Desktop client's local key store to see if you can identify secret key material that's not yours.
My guess would be that during the pairing phase, your client was linked to the wrong identity somehow.
(Also, my original account, @kaepora, appears to be banned from commenting on issues in this repository, although I had never done so in the past. Could this be fixed?)
scottnonnenberg
commented
6 years ago @Janila Thanks for the detailed bug report. Sadly, there is very, very little we can do without logs from the affected devices. Without any more information than you provided, I can say this: sharing devices would certainly explain messages from and to her! Now, new messages sent today and received by two different people without some sort of group - that's a very unexpected behavior.
A few things to do:
View -> Debug Log)chrome://extensions (it could still be doing weird things)
Natanji
commented
6 years ago I'm a friend of @Janila who is also indirectly affected by this, just like K is - I receive messages that appear to be from A, but who are actually sent from the Signal-Desktop installation of @Janila. Chiming in here, since this is definitely a HUGE security issue. Something like this should outright not be possible.
Can someone describe the exact steps that happen during migration of the old Signal-Desktop in Chrome to the new Signal-Desktop Electron app? Especially regarding how key material is copied over, and which key material is used? Are new keys generated during migration, or are only old keys used? The Signal-Desktop install on @Janila's laptop is relatively new (6-8 months), so her laptop never was in contact with A's phone. A's phone definitely never scanned the QR code of Signal-Desktop of @Janila.
What we confirmed is that A's Signal-Android shows only their own laptop as linked, which is still running on the old Signal-Desktop version that runs in Chrome. This seems like a very significant security issue, since it proves that it's possible to actually have multiple devices linked although only one is shown. Since this is apparently possible, this points to a significant issue in how Signal-Desktop handles the crypto keys: apparently the Signal-Android app can be aware of only one linked device while in reality, multiple devices (the Signal-Desktop of both A and @Janila) are linked.
@scottnonnenberg It seems inadvisable to fix the problem just by reinstalling everything, doesn't it? Because this behaviour should certainly outright not even be possible. We need to get to the bottom of this, not destroy the possibility of forensics. If you can tell me how I can look at both the Signal-Android and Signal-Desktop (both old and new version) databases to search for the exact key material used, like @not-nadim suggested, that would be very helpful. Right now we don't know how a key associated with A got onto the laptop of @Janila.
Also, can you elaborate how sharing a device in the past would explain key material of the old user still being there? When you register a new phone number in Signal-Android, even without wiping anything, it's supposed to delete any kind of old key material - isn't it?
scottnonnenberg
commented
6 years ago As far as I can tell, we know exactly how the mixing of messages initially happened. The desktop app was originally linked to A's account. It also seems like the desktop app was not used for a very, very long time and was still linked to A's account when the migration happened.
There are a couple things which don't add up, however. The app doesn't send to more than one user when you send to just one user. Groups are the only way to send to more than one person at a time. That's why I'd like to see logs from the new standalone app.
Additionally, when messages are from yourself and unable to be decrypted (what A is experiencing), it can mean that you have a linked device with a messed-up session, attempting to exchange sync messages (I just sent this message to X, I just read Y message).
So, I think you need to get together with A, and have them unlink your desktop device from their account. Then set up the desktop app from scratch, like I said before.
This is definitely not a security issue in the traditional sense. If you hand someone your phone, and while you're not looking, they link your phone to a desktop app on their machine, they can fully snoop all your messages and send messages as you. This is known, and it's a feature!
Natanji
commented
6 years ago I think you massively misread some of the provided information. The desktop app was never (actively) linked to A's account. The only device that was ever shared between A and @Janila was an old Moto G, literally years back. Before updating the Chrome app to support migration, the Desktop app (which I know was quite actively used by @Janila for the past months) was linked to the account of @Janila. After updating it (just prior to the migration to Electron), it seems like it was linked to both @Janila and A (at least that's my interpretation of "K gets the message twice, once from @Janila and once from A). After @Janila unlinking her laptop, Signal-Desktop doesn't notice that it was even unlinked and doesn't display a QR-code to link it - instead, it can send messages from A's account, despite never having linked it.
A has an own laptop, which is still running the old Signal-Desktop. Only that device appears as linked in A's account. Please, re-read the provided information, I think you are jumping to massively wrong conclusions here. The situation is ten orders of magnitude more weird than you think.
Because A never linked her account to @Janila's laptop, this is absolutely a security issue.
scottnonnenberg
commented
6 years ago @Natanji I'm happy to look further, but I have no further information. All I have is the code and your statements.
I'm telling you what I believe to be the most likely explanation, especially since memory is often fuzzy. You say that the desktop app was actively used by @Janila, and you're claiming that all of a sudden new information popped out of nowhere on the migration. One of those is likely not true, given the other behavior described.
Anyway, I think it's not worth talking any further on this until we have some logs.
Janila
commented
6 years ago Okay, so here is the debug log from the new signal app: https://gist.github.com/dfbb7be06d9dc17da41d19314ffd40d9
about the phone numbers: -425 is me -349 is A -027 is K
Remember that A's messages first appeared in the chromium app, though - that they were then migrated to the new standalone desktop app is not in itself surprising I would say. [and probably can't possibly provide a log from the chromium app, since it is already deleted]
Janila
commented
6 years ago @ scottnonnenberg I know I can probably fix this by reinstalling the app, maybe A also doing the same and/or unlinking her laptop.... but I think it's more important to figure out how this could even happen in the first place, for which keeping the current configuration might be necessary.
re: "You say that the desktop app was actively used by @Janila, and you're claiming that all of a sudden new information popped out of nowhere on the migration." : I have definitely actively used the signal desktop app and for several years. When I started the app yesterday to do the migration it showed me my familiar signal messages, conversations, contacts and avatars. Of course, I cannot guarantee that there weren't any old messages from A already "mixed in", but I think I would have noticed different contacts, different names for contacts and different avatars if they had been there before.
The only explanation I have as to how A's keys came to my laptop is this: They obviously were on the old Motorola phone, that was first used by her and later by me (back then there were never any messages getting sent to the wrong person, or any problems like that, though). That phone I connected to the chromium app on my old laptop. When I migrated data to my new laptop in 2017-01 I copied the whole \home directory, so any keys stored there would also have been copied.
lenaschimmel
commented
6 years ago @Janila Just to clarify: In your last comment you said "That phone I connected to the chromium app on my old laptop." and in the first one "I don't know exactly what degree of "wiping the phone" we did in context of the transfer."
When you transferred phones, did A keep her SIM card and phone number, so that you used the phone with another phone number?
If so, I would guess that you signed in with your own number on the phone before you ever connected it to the chome app on your old laptop, so at that stage, it was reasonable to assume that A's keys would not be on the phone any more, or at least that they would not take part in the connection?
scottnonnenberg
commented
6 years ago I took a look at the logs, and some interesting details emerge:
It looks like the first thing you did after setting up the new standalone app was to try to import your contacts and groups from the settings dialog. But those requests went to A (349)! They timed out, of course, because A (349) was just seeing errors stack up.
INFO 2017-11-01T10:58:12.407Z SyncRequest created. Sending contact sync message...
INFO 2017-11-01T10:58:12.447Z PUT https://textsecure-service.whispersystems.org/v1/messages/+[REDACTED]349
INFO 2017-11-01T10:58:13.005Z PUT https://textsecure-service.whispersystems.org/v1/messages/+[REDACTED]349 200 Success
INFO 2017-11-01T10:58:13.005Z SyncRequest now sending group sync messsage...
INFO 2017-11-01T10:58:13.023Z PUT https://textsecure-service.whispersystems.org/v1/messages/+[REDACTED]349
INFO 2017-11-01T10:58:13.564Z PUT https://textsecure-service.whispersystems.org/v1/messages/+[REDACTED]349 200 SuccessThis happens three more times before you finally gave up. Then you restarted and attempted to send a message to K (027):
INFO 2017-11-01T11:03:33.871Z Sending message to conversation +[REDACTED]027 with timestamp 1509534213871
INFO 2017-11-01T11:03:34.002Z PUT https://textsecure-service.whispersystems.org/v1/messages/+[REDACTED]027
INFO 2017-11-01T11:03:34.579Z PUT https://textsecure-service.whispersystems.org/v1/messages/+[REDACTED]027 409 Error
INFO 2017-11-01T11:03:34.583Z deleting session for +[REDACTED]027.5
INFO 2017-11-01T11:03:34.601Z deleting session for +[REDACTED]027.5
INFO 2017-11-01T11:03:34.606Z GET https://textsecure-service.whispersystems.org/v2/keys/+[REDACTED]027/2
INFO 2017-11-01T11:03:35.198Z GET https://textsecure-service.whispersystems.org/v2/keys/+[REDACTED]027/2 200 Success
INFO 2017-11-01T11:03:35.658Z GET https://textsecure-service.whispersystems.org/v2/keys/+[REDACTED]027/7
INFO 2017-11-01T11:03:36.179Z GET https://textsecure-service.whispersystems.org/v2/keys/+[REDACTED]027/7 200 Success
INFO 2017-11-01T11:03:36.394Z PUT https://textsecure-service.whispersystems.org/v1/messages/+[REDACTED]027
INFO 2017-11-01T11:03:36.487Z GET https://textsecure-service.whispersystems.org/v1/profile/+[REDACTED]027 0 Error
INFO 2017-11-01T11:03:36.488Z {"name":"FetchError","message":"network timeout at: https://textsecure-service.whispersystems.org/v1/profile/+[REDACTED]027","type":"request-timeout"}
INFO 2017-11-01T11:03:36.917Z PUT https://textsecure-service.whispersystems.org/v1/messages/+[REDACTED]027 409 Error
INFO 2017-11-01T11:03:36.918Z deleting session for +[REDACTED]027.4
INFO 2017-11-01T11:03:36.982Z PUT https://textsecure-service.whispersystems.org/v1/messages/+[REDACTED]027
INFO 2017-11-01T11:03:37.488Z GET https://textsecure-service.whispersystems.org/v1/profile/+[REDACTED]027
INFO 2017-11-01T11:03:37.507Z PUT https://textsecure-service.whispersystems.org/v1/messages/+[REDACTED]027 200 Success
INFO 2017-11-01T11:03:37.558Z PUT https://textsecure-service.whispersystems.org/v1/messages/+[REDACTED]349
INFO 2017-11-01T11:03:38.010Z GET https://textsecure-service.whispersystems.org/v1/profile/+[REDACTED]027 200 Success
INFO 2017-11-01T11:03:38.036Z done with status fetch
INFO 2017-11-01T11:03:38.085Z PUT https://textsecure-service.whispersystems.org/v1/messages/+[REDACTED]349 200 SuccessYou can see it failed a number of times due to key problems and a network timeout, but it finally went through. What's interesting is that there's a message to A (349) mixed in there. Because there's no 'Sending message to' preamble, that looks like a 'sync' message, where desktop tells its linked devices that it just sent a message. Presumably this resulted in an error for A again.
Then, a number of messages come from J (425) resulting in Bad Mac errors:
INFO 2017-11-01T17:47:01.461Z queueEnvelope error handling envelope +[REDACTED]349.1 1509548634119 : Error: Bad MAC
at file:///opt/Signal/resources/app.asar/js/libtextsecure.js:35455:23It definitely looks like a pretty messed-up install. The app thinks it is linked to A (349) but it's not. If you really care about your message history, I can supply the steps to try to recover this install. But I think your best bet is to start over from scratch. Just delete ~/.config/Signal.
I know there is worry about what could possibly cause this, and its general applicability. I continue to believe that it came down to phone-sharing in the past. The migration does a basic copy from the old database to the new database, so anything present in that old database would show up in the new database. If you want to send your db.json from the export directory to support@whispersystems.org, we could do a little bit of extra analysis. We may never figure it out, however, because you said that the strange contacts/messages popped up in the Chrome app even before doing the export.
On the whole, I'm not too worried about it, because generally fully wipe their phones before passing them on to other people.
Janila
commented
6 years ago @lenaschimmel Yes, A kept her SIM card and phone number and I used the phone and signal with a different phone number.
Natanji
commented
6 years ago What I don't understand is the following: Upon getting a new phone, A would naturally have to re-register that phone with Signal. That means that for her number (349), she generates completely new key material, which also invalidates any key material for any Signal-Desktop session that previously existed - is this correct (I understood it as such that Signal-Android signs the key generated by Signal-Desktop)? Which means that at this point, any key material left on the old phone is useless and should no longer be able to send messages in A's name.
This is actually an extremely important feature of Signal security because it ensures an adversary who had access to a certain phone number in the past has absolutely no way to recover future messages sent via Signal to that phone number, once they lose access to that SIM card and the number is re-registered to their target. Even more certainly, they shouldn't be able to impersonate that user at this later point.
Old key material generated by Signal-Desktop must thus certainly be invalid. But somehow, it is not. Pinging @moxie0 because maybe he has an idea on whether there can be any kind of loophole like this, if two users have used that same Android device in the past? Again, I'm still stumped by the problem and don't understand how this can happen.
scottnonnenberg
commented
6 years ago @Natanji I agree that it doesn't make sense. And my attempts to make the narrative hold together above are why you think I 'massively' misread things. It really just doesn't add up.
Another idea I came up with was that there was some sort of old, unused Chrome profile set up on the machine, which was actually linked to the 'wrong' account. It could have been linked before the phone was fully wiped. If a new SIM was installed in the phone, but the app data wasn't wiped, and the new phone hadn't yet reclaimed the phone number, a desktop instance could have absolutely have been linked to the wrong account.
Janila
commented
6 years ago I don't know what kind of information is needed that I can provide. If there are any scenarios I should test, any logs I can provide, please tell me!
One aspect of why I still think this is a major problem is this: Both from my laptop signal and from A's laptop signal, messages can be send seeming to come from A's number. BUT on A's phone, the signal app shows only ONE linked device!
I got the debug files from A's devices aswell, maybe this can help: A's phone: https://gist.github.com/bd2c14418aa782b0851644c8bbe01f2c A's laptop: https://gist.github.com/ae5e73716f8392aeb5749944db702f2e
scottnonnenberg
commented
6 years ago We would like to continue digging in on this to understand the issue, and make sure it doesn't affect anyone else. Please feel free to reach out to me directly - you can find my email on my github profile.
not-nadim
commented
6 years ago Not that I know anything, but an issue this unusual likely deserves public documentation.
scottnonnenberg
commented
6 years ago To be clear, we need real phone numbers and further information that shouldn't be shared publicly to make progress on this investigation. Please reach out to me directly and we can get to the bottom of this.
Janila
commented
6 years ago With Scott we figured out that my laptop instance and A's laptop instance officially have the same id, as well as the same password. ("That means they contend for the same incoming messages. But they have different encryption information, so if I start talking with one of you, messages from the other will be errors.")
But independently from this we also discovered the resolution to this mystery and I'm very very happy to say that there is NO security problem here!
Some time this summer, I copied the folder /.config/chromium from A's to my laptop -- this was not connected in my mind with signal, as it was done towards a completely unrelated objective and had seemingly no effect whatsoever anyways.
But I'm quite sure now, that this is how A's keys etc got on my laptop. This did not, however, immediately made signal switch from my number/account/conversations to A's, but the info was still there in the data somewhere. When I updated the chromium signal folder (in preparation of switching to the new standalone) it used A's number/keys and so those were "active" from thereon.
And that makes SO MUCH MORE sense than some construction with using the same mobile phone in the past, which apparently was just a red herring -.- Sorry for the wrong lead and basically unsolvable mystery :(
One positive conclusion: It's definitely better to have signal as a standalone app now, because this could only happen because I didn't really in my mind connect the chromium browser to signal ^^
Sorry for not sticking to the proper bug report format, I'm a little scared and confused and wanted to get out a report as soon as possible. tl;dr: my desktop version of signal is not showing my conversations but those of a friend.
Repost from https://github.com/WhisperSystems/Signal-Android/issues/7151 as it is probably more related to the desktop version, might also have something to do with "core signal" [x] I have searched open and closed issues for duplicates
The details: I had Signal installed on my laptop (Ubuntu 16.04.2 LTS) as a chromium app and on my phone, everything working fine. I wanted to install the new standalone Signal on my laptop. Here are steps I did as well as I remember. Sorry, I don't know how to try to reproduce this, so there may also be irrelevant steps listed.
I followed the Linux install instructions: $ curl -s https://updates.signal.org/desktop/apt/keys.asc | sudo apt-key add - $ echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" | sudo tee -a /etc/apt/sources.list.d/signal-xenial.list $ sudo apt update && sudo apt install signal-desktop
I tried to follow https://support.signal.org/hc/en-us/articles/115002502511-How-do-I-migrate-messages-to-the-new-Signal-Desktop-
I opened the old chromium signal app, there was a message saying it needed to be updated. Clicking on that message opened https://chrome.google.com/webstore/detail/signal-private-messenger/bikioccmkafdpakkkcpdbppfkghcmihk I was confused that there was no "update" button or similar. I tried several times, closing and opening both the chromium browser and the app, until at some point the "you need to update" message was gone and it apparently also was the current version: it included the " Migrate to standalone" menu item.
In this updated chromium app there were weird messages, which I then thought to just be old messages, but have now found out to be not messages between me (J) and my friends but between A and A's friends. So on the right hand side of each conversation there are messages which A has written, and on the left the messages of her friends. There is also a chat with my name, which contains the messages between us, hers on the right, mine on the left. The names of the contacts and contact photos are also A's. These are messages between March 2017 and June 2017 and also some few messages from the day before yesterday (2017-10-30)
I clicked "Migrate to standalone", and imported the generated folder in the new signal app.
From the new desktop app I wrote "test" to a common friend (K). On his phone he received that message twice: at 11:55 in the chat with me, and at 12:03 in the chat with A.
Since K's reply only reached my phone but not my the desktop app, I wanted to reconnect the desktop app to the phone. To this end I deleted my laptop under "linked devices" in the menu of the signal app on the phone. Shortly after this I did receive Ks reply at my laptop.
I found out that the messages were not old messages of mine, but As messages (see description in step 4)
Shock, horror and confusion
Only possible hint for an explanation I have that in 2015 or so A gave me an old phone of hers (not the one I'm using right now!) and on that phone first she and later I both used signal. I don't know exactly what degree of "wiping the phone" we did in context of the transfer.
My phone: Device : OnePlus A0001 (bacon) Android : 6.0.1 (2b5f277d1c, MHC19Q) Memory : 73M (4.69% free, 512M max) Memclass: 192 OS Host : cyanogen App : Signal 4.11.5
Chromium: Version 62.0.3202.62 (Offizieller Build) Built on Ubuntu , running on Ubuntu 16.04 (64-Bit) I have unfortunately already removed the old signal app there.
I can also add log files later if that makes sense, but before posting those, I would want to at least roughly read them, for which I am too tired right now. Posting this anyway because it seems pretty major.