pleroma.debian.social

pleroma.debian.social

Have any security people ever audited the "Home Assistant Signal Addon" ?

I just discovered that it downloads and stores every single signal message attachment... ( /addon_configs/*_signal_messenger/attachments/ )

I only use it for sending notifications. The docs don't seem to mention this anywhere. Seems like a massive leak of my "private data" where I wasn't expecting it.

While we're at it, could someone get signal.org to explain why they won't release *all* their backend automation code?

It also downloads and caches the avatars of everyone you ever talked to. Including all those sketchy spammers with "sexy" photos. So I've got those on my home assistant machine.

Maybe I should make a scammer photo with an EICAR image, haha.

But more seriously, it stores all the signal private keys in plain text. Have a look in data/*

WAT

@purpleidea if you have Google services and the HA App on your phone, those can do notifications for you, no need for external services.
Otherwise I can recommend ntfy.sh

@zhenech I don't want to run the HA app all the time, but you're saying it can do push notifications without the app running?

In any case, I'm sure a ton of people use this add-on, so this is a major security f-up AFAICT. I mean who knows if it even then exfiltrates this data, but even if not, I can't imagine it's hard to hack HASS, lol.

@purpleidea the app doesn't need to run (in the foreground), google will wake it up just fine.

And yes of course, this looks like a security issue with the integration.

@purpleidea sounds like a bug?!

@zhenech
This only works if the app was installed from the play store though. If you install it from f-droid, the necessary APIs aren't available and so it does not work.
@purpleidea
replies
0
announces
0
likes
0