Signal-desktop: Don't show contact phone numbers to prevent shoulder surfing

Created on 9 Nov 2017  路  5Comments  路  Source: signalapp/Signal-Desktop
  • [X] I have searched open and closed issues for duplicates

Bug description

My contact's phone numbers is visible on the top of the right column above conversations. This can implicate contacts that I talk to if someone happens to be in my vicinity viewing my desktop.

Steps to reproduce

Visible on startup

Actual result: The phone number is immediately visible, w/o warning. Prying eyes will no their contact number immediately.

Expected result: Phone number should only be exposed after the user allows it to.

Screenshots

Platform info


Operating System: Linux Mint 18.2
Browser: Firefox 56

Signal version: 1.0.37

Link to debug log

Feature Request
Source
picture nvemb3r
👍21

Most helpful comment

Very keen observation. I too would like

  • to have an option to hide/show it, or
  • to have it hidden by default and you have to open the contact's profile (click on their name) to see the actual number.

Keep in mind that the same issue exists in the mobile version as well (at least on Android I can confirm), so it would be consistent to have this work in a privacy-centric way on all platforms.

picture leafcutterant on 9 Nov 2017
👍3

All 5 comments

Very keen observation. I too would like

  • to have an option to hide/show it, or
  • to have it hidden by default and you have to open the contact's profile (click on their name) to see the actual number.

Keep in mind that the same issue exists in the mobile version as well (at least on Android I can confirm), so it would be consistent to have this work in a privacy-centric way on all platforms.

leafcutterant picture leafcutterant on 9 Nov 2017
👍3

Check response in this ticket:
https://github.com/WhisperSystems/Signal-Android/issues/5277

They refused to do this on mobile at least twice... I don't think that will change in near future.
I also think they should give us an ability to hide mobile number. It would be helpful for example when traveling in public transport.

kyelbek picture kyelbek on 25 Nov 2017

I have this strange feeling that the Signal leadership doesn't give a damn about end-point security.

thanks but we're not going to do this

Moxie Marlinspike has been rejecting essential security features like that multiple times, with no explanation. (Just think of all the Github issues where the encryption of locally stored data/messages came up. There were all no-thanks'd by Moxie, closed and disabled for commenting.)

The application is championed as the pinnacle of in-transmission security, which is great, and we can't tell you what to implement and what not. But please, this is supposed to be a "secure messenger". I also find it appalling that there is popular and well-constructed security tool (Signal), and the head developer reacts to obvious security requests in such a non-open way.

leafcutterant picture leafcutterant on 25 Nov 2017

A temporary work around would be to create a contact for yourself with your number. It shows up as YourName, Recipient1, Recipient2, etc.

movingtheground picture movingtheground on 5 May 2018

Would love to see this. Seems like such a small oversight.

abowerman picture abowerman on 6 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

halb9 picture halb9  路  3Comments
petcap picture petcap  路  3Comments
github-cygwin picture github-cygwin  路  3Comments
McLoo picture McLoo  路  3Comments
ProactiveServices picture ProactiveServices  路  3Comments