Signal fixes bug that allowed users to see images of others
Signal fixed a bug in the Android app that allowed some users to see images intended for other contacts of the sender. A ticket has been open for the bug since December 2020, but according to the makers, it was rare.
Signal says it has fixed the bug in the most recent version. That is version 5.17 of the Android app. The issue was first reported by a user in early December. He described on the GitHub page that he sometimes saw images that may have been sent to other users in the contact list of the first user, although the issue does not indicate whether the images really came from them. Later it turned out that there were more users who had that problem. That only happened on Android devices. For some users, the problem seemed to occur sporadically, for others consistently.
The problem should have been solved by now. There aren’t many details about what exactly went wrong, although the two commits with the issue are visible. It shows how some fields in the SQLite database did not use the autoincrement function. That has been added in the new versions.
According to the developer, the bug was linked to another bug. The problem would only arise if users had conversation trimming turned on. That is a feature where old messages in a conversation are automatically deleted. In that case, a user’s database ID could be reused with other users. “It was very difficult to figure out the bug,” the developers say. “Once we gathered more information, this became our top priority.”
As far as is known, the bug only occurred among Android users. The developers say that was “very rare,” although some users on Hacker News note that Signal can’t tell without good telemetry.
Update: the piece clarified that these are images that come from local users and not random Signal users.