Signal recently fixed a critical bug in its Android app that, in some of the cases, it sent random unintended pictures to contacts without even an exact explanation. Although the concern was first reported in December 2020, provide the difficulty of reproducing the error, it is not until this month that a fix was introduced to the Android users of the end-to-end encrypted messaging app.
How Random Images Sent Out to Random Contacts?
This month Signal patched a bug affecting their Android application users under few circumstances. While sending an image using the Signal Android application to one of your contacts, the contact would eventually receive not just the selected picture, but moreover a few random, or unintended images, that the sender had nerve even sent out.
An example of such a case is given below which demonstrate how the sender (left) merely sent a GIF as a part of a text conversation, but the receiver (right) got two additional images with no plausible explanation:
This issue was initially reported in December 2020 by Rob Connolly on the application GitHub page. Other users constantly stepped in confirming the error reported by Connolly. He also said that considering the sender had not sent out the extra images, this was either the case of messages getting “crossed-over” from the other contact of the recipient or worse, from an unknown party.
Fortunately, in the example which is shown above, the exposed images were not of any sensitive nature.
Which Application Property is Responsible for this Bug?
At the start of the December 2020 report, Signal’s team urgently takes a step pin requesting logs, to debug and remediate the Bug. But, unfortunately, it took some time and effort to efficiently remediate the issue. Another user, Adrian Ostrowski stated that a bug like this was effectively made it impossible to transmit images confidentially via the Signal app.
To which Signal’s Android developer Greyson Parrelli responded that the fix has been rolled out in the updated version 5.17 of the Signal Android app, released this month. “We do, in fact, take concerns like this very seriously. This error was extremely rare, and because we have no metrics/remote log collection, there was an initial period where we had to spend time adding logging and collecting user-submitted logs to try to track it down.”
“As soon as we were able to pick up a essence, it was all we worked on, and we were able to get a fix out very quickly,” said the developer.
For those interested, the concern stemmed from the “ID” fields not being set to auto-increment in the SQLite database tables utilized by the application.
The main commits [1,2] shared by Signal show “AUTOINCREMENT” has now been added to a few tables that required the property:
“For some background, this flaw came about as a rare intersection of some database properties and a separate error.” “The TL; DR is that if someone had conversation trimming on, it could create a rare situation where a database ID was re-used in a way that could result in this behavior.”
“It was very challenging to track down, with earlier phases involving getting additional logging into builds.” “Once we had some more information, if did in fact become our top priority, a fix was made, and we got it out as quickly and as safely as possible. The fix itself should make it so that database flaw like the one that caused this error can’t happen again.”