alt Hacker News> you would be surprised how quickly this adds up
Yes, but if social engineering is involved and tracing back through user conversations across a platform, it's hardly a vulnerability, let alone one deserving of a bounty. The way this is currently functioning is intended functionality, and can be further locked down depending on the user's threat model.
This can essentially be classified as opsec failure for the Signal user. If they're trying to hide from a hit in a 300 mile radius, they've got bigger problems to worry about, and should already be using a VPN setup.
Every time you click on a link your external IP addresses is exposed, is this a vulnerability? Being online without a VPN / proxy is inherent consent to have your external IP & other required items to be shared with services / middlemen.
When it comes to Discord, if you have this strict of a threat model and you're still using it, idk what to tell you.
Replies
If I can send you a link and be guaranteed that you click on it. Then that’s definitely a security issue.
> When it comes to Discord, if you have this strict of a threat model and you're still using it, idk what to tell you.
I mean, you just never know... I've seen a lot of wild things, I've seen what drives people to doing crazy things. Just look up the "Deadly Runescape E Dater" who flew from the US to the UK to stab the girl he e-dated.
This is all the classic dismissals of security issues, including blaming the user.
> opsec failure for the Signal user
Signal's mission is to provide security for users who don't know the word 'opsec'.