-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SECURITY ISSUE: Signal doesn't strip EXIF from sent images, including precise location data #1984
Comments
I'm not so sure about the necessity of this. If I wanted to remove EXIF data, I could get an app that does it, and send the stripped version. Otherwise I would want to send the photo with EXIF data, if I want my recipient to know where and when it was taken, and the aperture, shutter speed, etc. Maybe it could be optional in the app? On a side note if we want Signal to be sending completely "anonymous photos", we should definitely be considering the issue of camera fingerprinting as well. Without making special modifications to a photo, the subtle imperfections of a photo can be used to identify the camera that took it. For example, if you use your phone's camera to take pictures that you post publicly on Facebook, and send a different photo from the same camera to a person anonymously, camera fingerprinting based on the contents of the actual photo could be used to tie the anonymous photo to your Facebook identity, without checking EXIF data. |
I would like that option because the idea of Signal is to make it as user
friendly as possible; the EXIF data can be easily removed and should be
incorporated.
My 2 Cents.
Regards,
Theo Chino
article78againstNYDFS.com
…On Sun, Apr 16, 2017 at 12:33 PM, Eugene Belinski ***@***.***> wrote:
I'm not so sure about the necessity of this. If I wanted to remove EXIF
data, I could get an app that does it, and send the stripped version.
Otherwise I would want to send the photo with EXIF data, if I want my
recipient to know where and when it was taken, and the aperture, shutter
speed, etc. Maybe it could be optional in the app?
On a side note if we want Signal to be sending completely "anonymous
photos", we should definitely be considering the issue of camera
fingerprinting
<https://33bits.org/2011/09/19/digital-camera-fingerprinting/> as well.
Without making special modifications to a photo, the subtle imperfections
of a photo can be used to identify the camera that took it. For example, if
you use your phone's camera to take pictures that you post publicly on
Facebook, and send a different photo from the same camera to a person
anonymously, camera fingerprinting based on the contents of the actual
photo could be used to tie the anonymous photo to your Facebook identity,
without checking EXIF data.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1984 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFrxGRc1o6AKjdf9fzolX6tXc5HBwfckks5rwkLJgaJpZM4M97U1>
.
|
My thoughts: I don't think we should go this way. Why doesn't you forbid the camera app to use the location services if security matters? Why not disable location and/or other services at system level? The problem is, that some users want a feature other users not and if every feature will get an on/off switch the preference pane will grow with many switches. Maybe they depend on each other or are mutually exclusive... NO that isn't user fiendly and maybe results in deceptive security... |
I think the android version strips the exif data. Maybe we should change it for consistency. Edit: I was wrong. It is incidentally stripped because of image scaling: |
The steps to reproduce indeed included enabling Location Services for Camera.app, but the threat exists in many situations, including passing along an image received from someone else. (For example, John McAfee's location while in hiding was revealed precisely this way.) Information leakage via metadata is a thing, and pretending it isn't only undermines confidence in this project. |
If signal can strip metadata at minimal cost, then it should do it.
The default for signal is privacy so anything that can reveal it should be
removed; no toggle switch required.
If you need EXIF info to be sent, should be per item (click on picture and
say EXIF enabled.)
Regards,
Theo
https://privacyboard.nyc
…On Tue, Apr 18, 2017 at 3:34 AM ThePowerOfDreams ***@***.***> wrote:
The steps to reproduce indeed included enabling Location Services for
Camera.app, but the threat exists in many situations, including passing
along an image received from someone else. (For example, John McAfee's
location while in hiding was revealed precisely this way.)
Information leakage via metadata is a thing, and pretending it isn't only
undermines confidence in this project.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1984 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFrxGT_6Qu9zlvFvilhhWr1Lhf21nVoGks5rxGdNgaJpZM4M97U1>
.
|
I'm unclear on how the onus is now on the "middleman" in this situation. If the receiver doesn't want their location shared, shouldn't they be the ones turning off location metadata? |
I guess I can see the case for stripping EXIF from a user friendly perspective. The average Signal user may not be aware that sending a picture means sending the location the picture was taken if that feature is turned on, and on iPhone it usually is. And even if a user knows that the feature is turned on to collect location information for each photo, it's totally possible that he wouldn't be aware that the location data is stored inside the image file itself, and that Signal sends the whole file. After all, iOS abstracts away the concept of files, so many users don't know how metadata is stored on iOS. Edit: I'm also reminded of the story of Higinio O. Ochoa III, a hacker that got caught because he used software to remove the EXIF data from an image he wanted to upload, but then accidentally uploaded the original. Even when you know about EXIF, you could still screw up. |
I would suggest a global checkbox in Settings (Strip image metadata). |
The answer is not more options: https://github.com/WhisperSystems/Signal-Android/blob/master/CONTRIBUTING.md#development-ideology |
*The user doesn't know what a key is.*
Many times I turn an option in the OS, and at the next update I discover
that the option has been turned back in during the update.
Geo-location is actually one of those option that the OS do turn back on.
The system should be as simple for the user regardless of what the OS does.
…On Mon, Apr 24, 2017 at 1:42 PM, Alex Jordan ***@***.***> wrote:
The answer is not more options: https://github.com/
WhisperSystems/Signal-Android/blob/master/CONTRIBUTING.md#
development-ideology
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1984 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFrxGaqCAxAOw92ERq5ew5yaHD2CYPOHks5rzN71gaJpZM4M97U1>
.
|
If users really want to send the photo's location they can just tell the recipient where the photo was taken (or share a pin from Photos.app after sending it). In my opinion, most "normal" users^ won't:
... meaning that not stripping EXIF metadata is at best helping only a minimal number of users (for whom simple workarounds exist) and at worst jeopardising people's security without their knowledge. If the answer is not adding settings (and I agree that it is not), then I'd suggest the answer is strongly in favour of stripping the EXIF data. ^ the development guidelines also state that there is no such thing as a power user, and providing options with them in mind is often especially damaging. |
After read ephemer's comment, an idea:
So "do not strip" would be a deliberate act in a rare, but real scenario. |
Some metadata I think we should definitely not strip by default. For example, when you edit a picture and rotate it with the iOS Photos app, then you delete all metadata, the orientation goes back to the original, because the photo itself wasn't changed, just some metadata. On an unrelated note, has anyone else noticed that this issue's number is #1984? 🤔😄 |
I agree that stripping should be OPT-OUT rather than OPT-IN. Chances are users won't notice if their EXIF is striped, but they should have the option either way. Signal's initial privacy orientation should make it pretty clear that EXIF should be stripped IMHO. |
Signal should remove ALL EXIF data, not only location. If you want to send a picture with EXIF data, use another app. |
Signal absolutely should offer to remove metadata. Period. Adding settings is the answer. Firefox has many, many options in "about:config". So Signal should make the best choices for privacy but allow people to dig through a more granular menu somewhere. It's out of the way unless you go looking through the settings. That way people who actually care will find it, but people who don't care are protected by strong default settings. This isn't going to clutter the UI. It's very simple and will help protect the privacy of most people using this app. You have to realize that we are in an extremely small sample size. Most people have no idea what can be leaked through metadata. Most people don't understand the details of surveillance and software to the degree that you guys do. How many hundreds of thousands of people do you think use this app? Most of them will probably never even visit this repository, let alone understand the dangers of metadata. So if Signal can do it, it's worth helping out people who aren't as privacy conscious as we are. |
I disagree. Signal should not offer to remove the metadata. The word 'offer' implies it might be a prompt. Signal should strip (at a minimum) geolocation data - period. EXIF data in photos is a fidelity signal from a camera to a photo. It preserves as much metadata about the image as possible for future categorization and record keeping. It's similar to saving a photo in RAW format. Signal is not designed to be a photo archiving app or editing or storage app. It's for sharing messages and photos. There is no mechanism in Signal to view EXIF data, and doing so is something only particularly technical people would think of or even be able to try. And geolocation data is extremely sensitive (it's extremely common to take photos in your own home) and in many or most cases one does not want to share their home address with all the individuals one may wish to send a picture to. Signal to do the 'safe' thing by default, which would be at a minimum to strip geolocation data. Maybe, maybe there could be an option to disable this feature, buried somewhere - but I don't even think the option is necessary. |
Okay I agree. Sorry for not being precise with my words. Essentially I meant that Signal should have the capability to do this. And it would be accessible to manage in settings. Safe by default is the right way to handle. Thanks! |
Another angle of looking at this, is that because sometimes it strips EXIF data due to resizing (Android), people might gather that it does all the time. Ex. I do a simple test to make sure it's safe, it passes, then I have a false sense of security and send pictures without thinking about it again. For the iOS version, the @Calefornia I agree :) - I've had a few people now send me pictures from Android and I save them on iOS camera roll. Then later I look at my Photo's app and that picture shows up in the "Places" group. Turned out I can zoom right to where their house was!! In all cases, the user didn't know about this and I had to give them instructions on how to disable location services. |
Here's a link to the Metadata Anonymisation Toolkit, which in turn provides links to similar projects: Hopefully someone can integrate code or modify it as needed for Signal. |
For iOS, the current logic is that in order to avoid re-encoding GIF/PNGs as JPEG we are retrieving the raw data using the Photo Framework ( So, in order to keep the current functionality and code as is, one option available would be to add an extra step - after retrieving that This is something I could implement and do a PR for, unless anyone has any objections to that solution or better suggestions here. |
We'd consider a PR which strips out non-orientation exif metadata by default, with an option to leave it in (settings > privacy > remove image meta data). Be aware that the image picker is not the only source of images. Additionally images can come from the document picker (e.g. iCloud), copy/paste, etc. We'd want the same behavior regardless of source. My feeling is that the SignalAttachment class, which all sources flow through, may be the right place to implement this. |
Okay, I can work on and implement this in SignalAttachment and then do a PR for it. |
so much nonsense talk for something you can do it yourself (free app Koredoko can strip exif https://itunes.apple.com/us/app/koredoko-exif-and-gps-viewer/id286765236?mt=8) meanwhile we don't even have yet a way to cleanup received media stored locally, but you all keep complaining for something totally unrelevant |
This is a must. The aim is to constantly improve and make the software better and protect privacy. Signal is used by people who dont understand the types of protection it truly offers. Knowing that these users dont know what EXIF data is I think it is essential that a user be able to send photos without revealing their private information without their understanding of said EXIF data. I did the same yesterday. Geolocated a person to their precise real time location and disclosed to said individual to ensure their apps do not permit geolocation information stored in photos. But I feel as the filer of this issue feels, that that for the majority this is a security issue. |
In regards to camera fingerprinting. The process isnt as easy as exiftool. |
Does #2907 getting merged mean this issue can be closed? |
@databonanza Please read the discussion before commenting. Scrolling up will show you it has already been done, it just needs to be closed. |
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
While the original report was about "Signal doesn't strip [enough] EXIF data", it turned out that people disagreed on that point and maybe a toggle was needed to strip / don't strip meta data from images (and other media), see also #5968 Image Meta Data Removal for a similar discussion for the Android version. So far this toggle has not been implemented for either platform, so I think this report is still valid. There was an argument about not wanting too many configuration items in the application, but we do have "Sealed Sender" and "Advanced PIN" settings now, so I guess this point is moot now :-) |
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
Is there a way to prevent stale bot from trying to close this issue every 5 months? |
@ckujau This project uses the default configuration of the stale bot. You can read more about it in the README of the bot. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Stale devs not stale thread. This issue is quite important. Let's ban stale bot from certain threads that are important. Also, this should be an easy fix. |
Why won't the bot remove the label? |
This issue has been closed due to inactivity. |
5 years of dev silence on a hot issue for it to just to get closed by stale bot, time to switch messaging apps. |
To what though? I can't believe this is just left alone. I have tried to pull exif data from signal photos and "there is none" but I don't know if it's because Signal is scrubbing it. This is a big problem, who is the person we need to @ to get their attention on this? |
As far as I know Signal DOES strip the EXIF data for a few years now. |
If it has actually been addressed it should be explicitly closed, not closed by stalebot. |
This. Can someone please mark this as resolved (or the equivalent?) |
Actually, that is right, but devs doesn't really review on old tickets unfotunatelly 🙁 |
I don't see any indication that the app actually strips EXIF data. If it does, then someone can link to the functionality. |
I think this is it: |
Is it actually resolved? Moxie still won't let us save our data on iOS since I opened this issue five fucking years ago, so Signal is now my third choice behind Threema and Matrix. Shrug. |
Good hunting. That commit removes the option to remove metadata so it's done by default. I eventually found this code in the master branch. I found this comment on Android and this for desktop. Not well described... |
What about iOS? |
Why is it presumed that EXIF is stripped due to compression? If that's true, all images would lose their rotation, and that isn't the case. Sus. |
There is no need for a full review. There is a need for accountability in a open source project. When you fix things that are related to "issues" you update the issue with the current status. |
Bug description
Signal for iOS includes EXIF data in sent images, including precise GPS data if present. Instead, EXIF data should be stripped (possibly except for the absolute bare minimum such as dimension and rotation).
Steps to reproduce
Actual result: Recipient sees the precise location the image was taken, along with all other EXIF fields
Expected result: Recipient sees no EXIF data whatsoever, as is the case when using Threema
Device info
Device: iPhone 6
iOS version: 10.3.1
Signal version: 2.10.1
The text was updated successfully, but these errors were encountered: