data breach when editing messages in a group

[RES-1]

Using a supported version?

• [X] I have searched searched open and closed issues for duplicates.
• [X] I am using Signal-Desktop as provided by the Signal team, not a 3rd-party package.

Overall summary

When a message is edited in a group, group members who were not yet members of the group at the time the message was originally created also receive the message.

Steps to reproduce

• create message in group;
• add member;
• edit original message;

Expected result

The edited message will not be displayed to the new group member.

Actual result

The edited message is displayed to the new group member.

Screenshots

No response

Signal version

7.9.0

Operating system

GNU/Linux/Fedora/KDE

Version of Signal on your phone

7.6.2

Link to debug log

No response

[ayumi-signal]

Hi, thanks for the report. It's not our intention that people can see messages they weren't sent originally, so we'd like to find out what's going on. We tried to reproduce but weren't able to. Could you please provide more info:

• Debug logs (View Menu -> Debug Logs)
• More details on repro steps -- Does the group invite result in Message request or have they been in contact before; is the group add being done from Desktop and not the mobile clients? and any other details you can remember.

[RES-1]

I have now created a test environment for this myself. It was a misjudgment that the new member would see the changed message. I apologize for the incorrect error message. The error arose because the changed message indicated in the informations that it was sent to the new member. However, this is just a “cosmetic flaw”.