core icon indicating copy to clipboard operation
core copied to clipboard
Published 6 days ago • verified publisher icon chatmail

Prevent silent probing of device online status

Open link2xt opened this issue 1 month ago • 3 comments

SecureJoin has two types of tokens: invite tokens and auth tokens. Currently SecureJoin invite token can be used to silently probe device online status. Auth token when successfully used results in a visible "member added" message for groups, but is not visible when establishing a contact second time.

This is a known problem for messengers recently described in Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers, but is not new, see also "Silent SMS" problem.

For auth token, we should make sure that successful usage of auth token always results in a visible info message (e.g. "Bob scanned your QR code", "Bob is already part of the group, but scanned your QR code again"). Bob normally should not even send us AUTH message multiple times (https://github.com/chatmail/core/pull/7335) so receiving multiple auth messages is unusual and it should be fine to display a message each time on Alice's side.

For invite tokens I don't have a solution yet because we don't have a place to display that invite token was used. Maybe we should expire them or limit the number of times they can be used, and revoke old token when the new one is created.

Actionable item for this issue is to make sure each successful processing of AUTH token results in a visible info message.

There is also a related issue https://github.com/chatmail/core/issues/7340 that should be closed soon, makes sense to close it first before even discussing this one.

See also Delta Chat forum topic.

link2xt avatar Dec 02 '25 15:12 link2xt

Bob normally should not even send us AUTH message multiple times (#7335) so receiving multiple auth messages is unusual and it should be fine to display a message each time on Alice's side.

wouldn't this be pretty common in multi-device setup??? what is unusual to me is that someone you share an invite link with is then going thru the effort of "probing online status"

adbenitez avatar Dec 08 '25 09:12 adbenitez

Indeed, this may happen if multiple Bob's devices are online at the same time. But then we can avoid showing an extra message to Alice if the second AUTH message arrives within a couple of minutes.

EDIT: vg-request-with-auth can't be sent from two devices normally, we don't sync the auth token for Bob. Forgot about that.

iequidoo avatar Dec 09 '25 06:12 iequidoo

Seems unlikely that Bob will scan the same QR code of Alice from two devices.

what is unusual to me is that someone you share an invite link with is then going thru the effort of "probing online status"

You share you invite link with everyone on Mastodon. Anyone on the internet can track when you are online.

link2xt avatar Dec 09 '25 13:12 link2xt