Signal-Android icon indicating copy to clipboard operation
Signal-Android copied to clipboard
verified publisher icon signalapp

Data Loss Following Unverified Account Transfer and Unintended Cross-Device Synchronization

Open gab12 opened this issue 1 year ago • 6 comments

Guidelines

  • [X] I have searched searched open and closed issues for duplicates
  • [X] I am submitting a bug report for existing functionality that does not work as intended
  • [X] This isn't a feature request or a discussion topic

Bug description

Hello,

I followed a non-standard user path, and the problem is that I lost all my data. Here’s the use case: I wanted to transfer my "Signal" data from one device to another.

I had both devices, so I installed the app and began the transfer during setup. It worked very well. After the transfer, I had my data on both devices, which was perfect!

However, on the second device, in order to continue conversations, I was asked to verify the phone number linked to the account. That’s where the problems began, as I hadn’t renewed my phone line and therefore couldn’t receive the code.

So, I tried to work around the issue to continue using Signal. I entered another phone number of mine, hoping the code would be sent to the new line and unlock my access on the device.

Here’s what happened:

The code worked, but it didn’t give me access to the local Signal data on the device. Instead, it retrieved all the data linked to my new line, overwriting the transfer I had completed. Worse still, and what I consider a design flaw:

It also synchronized this new data on the original device, overwriting the original source of my data. Result: I now have three devices with data from my new phone line and have lost all my original data.

I believe that the data should never have been synced back to the original device and overwritten its contents without warning, especially since the second device had not completed verification of the code.

Screenshots

No response

Device

no name

Android version

Android 13

Signal version

7.20.2

Link to debug log

No response

gab12 avatar Oct 27 '24 11:10 gab12

I'm having trouble following the series of events here. It sounds like there's actually three devices in play, which we can label A, B, and C.

  • A: The original device you were transferring data from
  • B: The device you transferred data to
  • C: The device whose number you used to register B

Do all three devices have signal installed?

Instead, it retrieved all the data linked to my new line, overwriting the transfer I had completed.

Can you elaborate? The only data Signal can restore is your group memberships+contacts. We can't restore any message content, so I'm confused by what you mean when you say "overwriting".

It also synchronized this new data on the original device, overwriting the original source of my data.

Are you saying the data from C is now on A? What data? Did you register C's phone number on A? Did you do a device transfer? Again, Signal the service has no access to any message data and cannot arbitrarily restore data onto devices. All we can do is sync your contacts and group memberships, but only if the number is registered on that device.

Some general things to keep in mind:

  • Signal has no access to message content. The only way data can be transferred is through local backups or device-to-device transfer. The only data we can restore after registration is your contact list and what groups you were in (no group contents).
  • A number can only be registered to a single Signal install. If the phone number on C was used for Signal, it would have become unregistered when you used it to register on B.

greyson-signal avatar Oct 28 '24 13:10 greyson-signal

Hello,

Sorry, the process is not easy to explain, yet I think it can be (maybe) considered a security flaw in Signal. Indeed, it allows you to inject unwanted data (channel, contact etc..) on a target terminal, or conversely reveal data... depending on where you are and who is doing the procedure voluntarily or not.

Here is the procedure:

  • We have device "A" with our data.
  • We transfer data from "A" to device "B" of a third party. (we can imagine that someone got their hands on a backup)
  • On device "B" has all the data but access is locked because he has not confirmed his identity (an SMS being sent to device "A").

The Signal/Bug error in my opinion is that although access is locked on device "B" because the identity is not confirmed, the synchronization between "A" and "B" is active! We can therefore deliberately synchronize in one direction or the other while we are not the owner of the account.

Continuation of the procedure:

  • To validate the account on device "B" (while I do not have access to the phone number of device "A"), we indicate the phone number of a device "C" with a Signal account. At this point, all the data from device "C" is transferred to device "B" which is synchronized on device "A".

Result: With a backup of device "A" and without having access to its phone number, I was able to overwrite all of its "Signal" data and inject my messages using device "B" and "C". I say "overwrite" content because the content on device "A" is no longer available, but now sees content "C"

I hope these explanations (described in another form) are clearer!

gab12 avatar Nov 30 '24 10:11 gab12

If you take a backup of device A, restore it on device B (registering with number C), the following will be true:

  • Device B will start with the same data as device A.
  • Device B, once registered with number C, will be a completely different account. There is no link between Device A and Device B any longer. They're just two different accounts that share the data that was initially restored from a backup of A.

It's also worth noting that in order for Device B to restore that backup, they'd need access to the long, randomly-generated passphrase associated with the backup. So if this was someone malicious, they'd need both the backup file and the passphrase.

The Signal/Bug error in my opinion is that although access is locked on device "B" because the identity is not confirmed, the synchronization between "A" and "B" is active!

This isn't true. Device B has the initial data restored from device A, but it isn't registered. The only data that is synced through Signal is contact and group metadata, and that requires that the device is registered, which B is not. Further, when you register device B with number C, you get a different account that is completely unrelated to device A, so no contact/group metadata would be synced to A.

At this point, all the data from device "C" is transferred to device "B"

You'll have to be more clear. If you registered number C on device B, and you entered the PIN for C, then you'll get the contact/group metadata associated with C. But you wouldn't have any other data.

With a backup of device "A" and without having access to its phone number, I was able to overwrite all of its "Signal" data and inject my messages using device "B" and "C". I say "overwrite" content because the content on device "A" is no longer available, but now sees content "C"

This just isn't possible. I don't know what you're doing, or what you think you've done, but these are two different accounts at this point. Further, it is impossible to remotely replace someone's messages with another set of messages because Signal doesn't have that data. The only way to replace the data on a device is through a backup restore or device-to-device transfer.

greyson-signal avatar Dec 02 '24 15:12 greyson-signal

Hello greyson-signal,

Thank you for your feedback and expertise. Indeed, I made a "language misuse" when I was talking about data, as you point out (and I believe rightly so) that it's not really data (message) but metadata. Apologies for the misunderstanding.

However, I really saw with my own eyes that my account was replaced remotely. Here’s the use case to reproduce it: Prerequisites: 3 devices, 2 accounts.

  1. Device A with David's account.
  2. Transfer David’s account from Device A to Device B (Signal transfer procedure).
  • David’s account on Device B is not confirmed.
  1. On Device B, instead of entering David's phone number, enter Julien's phone number (Device C with an account signal).
  • B will resynchronize and retrieve the metadata from Device C (losing the backup from A).
  • A will resynchronize with "B" and retrieve the metadata from "C" (via B) and lose its own metadata.

That’s what happened to me.

gab12 avatar Jan 16 '25 22:01 gab12

I believe I experienced this same issue today with an even simpler setup with only 2 devices: Device A - my old phone with Signal installed and all my message history, and my SIM card still in it Device B - brand new phone with no SIM card

  1. Install Signal on Device B
  2. Started the transfer on both devices
  3. Type in my phone number to complete the transfer
  4. Find that some metadata has been transferred to device B (membership in group chats) but no message history or media have been transferred
  5. Find that device A has been logged out of Signal with all messages gone.

So now my 3 years of messages with my loved ones are completely gone, and at no point did either app warn me that I was going to lose data. I guess the problem is that I hadn't moved my SIM card to the new phone when I did the transfer. But nothing in the instructions said I needed to do that first!

bplevin36 avatar Jan 18 '25 17:01 bplevin36

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Mar 20 '25 01:03 stale[bot]

This issue has been closed due to inactivity.

stale[bot] avatar Mar 27 '25 02:03 stale[bot]