Skip to content
This repository has been archived by the owner on Jan 27, 2024. It is now read-only.

OTR + telegram-purple = phone number leak #565

Open
n0toose opened this issue Jan 16, 2021 · 10 comments
Open

OTR + telegram-purple = phone number leak #565

n0toose opened this issue Jan 16, 2021 · 10 comments

Comments

@n0toose
Copy link

n0toose commented Jan 16, 2021

Steps to reproduce

  • Leave OTR turned on by accident, since you tend to use encryption in your casual XMPP-related communications.
  • Your "account name", also known as the phone number which isn't meant to be public unlike an XMPP address, gets shared with the other party.
  • Congratulations, you've now inadvertently leaked your phone number to a stranger on the internet.

._.

@EionRobb
Copy link
Contributor

Unfortunately this is hard-coded into the OTR plugin to use the account username during negiotiations, as it makes the assumption that usernames are public (which, for the built in protocols it normally is)

@n0toose
Copy link
Author

n0toose commented Jan 16, 2021

Yeah, that sounds normal to me, but why does the plugin also proceed to throw a phone number under the field where things are presumptively public? Despite it being a login method, it is not quite infallible either, as multiple accounts can be technically registered under one phone number (see: MTProto applications with tokens).

@BenWiederhake
Copy link
Collaborator

I can absolutely see how this bothers you. However, changing this would be a large effort, and I don't quite want to do this with telegram-purple.

Can you give tdlib-purple a go? It also uses the own telephone number as an ID, so maybe it has the same issue? If it has to be implemented anyway, I strongly suggest implementing it for tdlib-purple. (Maybe the internal ID could be an account setting that must be set during account creation? Or possibly even some nonsense like a UUID?)

@bodqhrohro
Copy link

I posted an issue about it in the pidgin-otr bugtracker almost a year ago:
2021-01-20-001153_1366x768_scrot

Though from that on, they removed the issue, and probably my account too. AFAIR, I logged in via OAuth, which is now missing.

@n0toose
Copy link
Author

n0toose commented Jan 19, 2021

I posted an issue about it in the pidgin-otr bugtracker almost a year ago:
2021-01-20-001153_1366x768_scrot

Though from that on, they removed the issue, and probably my account too. AFAIR, I logged in via OAuth, which is now missing.

Sounds a bit hostile, although I'd see why they wouldn't like to make specific exceptions for whichever Pidgin plugin pops up. Maybe a feature request involving allowing developers of other plugins to exclude themselves from OTR support instead could fair a bit better?

@bodqhrohro
Copy link

Sounds a bit hostile

I doubt it was intentional. Maybe they just dropped all OAuth accounts along with content created by them, as there was too few of them and it was easier to sacrifice them rather than properly migrate the content to the anonymous account. Though I'd better try to contact them for clarifications than guess.

Also, I see at least two newer issues about leaking the username, but via other channels.

to exclude themselves from OTR

Why? The good side of OTR is that it transparently works through any plaintext medium, be it picture metadata, SMS, or pigeon mail ;) Locking it out from some protocols would be rude.

@n0toose
Copy link
Author

n0toose commented Jan 20, 2021

@bodqhrohro It assumes that:

a) Both users are communicating through Pidgin by default, while sacrificing the privacy of the user in a very, very horrible and unexpected manner.
b) Since this add-on is built on top of MTProto and Secret Chats are supported, why is an implementation that's basically VERY flawed in this case scenario and could only work as an additional layer of security turned on by default? Additional encryption is supposed to protect the user, but the takeaway here is that it can be more compromising than anything, sane defaults count!

Giving developers the ability to opt-out, rather than either being forced in and having to use it everywhere or nowhere is basically the most sane response to this, although it's probably out of the scope of this project for the time being.

@bodqhrohro
Copy link

and Secret Chats are supported

I guess it's a matter of trust: for some persons, OTR is more trustful than Telegram's self-invented E2EE. I definitely know that some persons use OTR over Telegram, as they requested OTR support in Zhabogram (by default, Zhabogram prepends a header to the content of every message, which breaks OTR).

BTW, I reached @DrWhax on IRC, and they told that the account/issue deletion was probably a spam misdetection, and also that pidgin-otr may get frozen, for the slow development pace of Pidgin and its security being a mess, so the issue will barely get fixed anyway.

@bodqhrohro
Copy link

Oh, and I encountered a reason to use OTR over Telegram: unlike native Secret chats, OTR-encrypted messages in plain chats can be stored on the server and synced across devices.

@n0toose
Copy link
Author

n0toose commented Jan 22, 2021

I guess it's a matter of trust: for some persons, OTR is more trustful than Telegram's self-invented E2EE. I definitely know that some persons use OTR over Telegram, as they requested OTR support in Zhabogram (by default, Zhabogram prepends a header to the content of every message, which breaks OTR).

Yeah, the truth is that you're absolutely right with this. I spoke through the lens of my own frustration, I'll probably consider using this but it's barely possible in its current state, as a person who also uses Telegram for groups and to talk to people on the internet that probably have no business of knowing my personal phone number anyways.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants