alt Hacker NewsThis is quite a detailed write up. I went through the post quickly, but didn’t get why Signal would just download an attachment from an unknown number/contact without first prompting the user to accept or deny the conversation request. I’ve seen conversation requests always waiting for me to accept or not. If I don’t accept, I don’t see any messages on that chat and the other person doesn’t get any indication of message delivery. What have I missed?
If the message is from a known or trusted contact, I think there can be larger problems than just a rough location reveal.
Replies
> I went through the post quickly, but didn’t get why Signal would just download an attachment from an unknown number/contact without first prompting the user to accept or deny the conversation request.
I guess you went through the post too quickly, because it goes over how that's exactly how it works. Unless you have push notifications enabled and on default settings to include the content in the push notification.
>I went through the post quickly, but didn’t get why Signal would just download an attachment from an unknown number/contact without first prompting the user to accept or deny the conversation request.
Where are you getting the impression that signal auto-downloads attachments from an unknown number/contact? The OP says there's auto-download, but not that it happens from unknown contacts.
> didn’t get why Signal would just download an attachment from an unknown number/contact
Usability, most likely. Ultra-secure and paranoid doesn't result in good UX most of the time.