When transfering a profile to another device the "Profile transferred" message only goes into the local device messages chat of the transferring device. It would improve security if that message goes to all devices imo.
In case someone has access to one of your devices just for a short time (or finds other ways to trick you), adds another second device and deletes the "Profile transferred" message on that device. From then you would never know that there is an additional device listening to all your chats.
Yes - if someone gets access to your device he just could make a backup and transfer it to anywhere but the add second device is very fast and convenient for that kind of attack.
And a fix is easy to implement, just send the success message to SELF chat instead of device messages in
|
add_device_msg(&context, None, Some(&mut msg)).await?; |
Edit: the same applies for restore from backup
When transfering a profile to another device the "Profile transferred" message only goes into the local device messages chat of the transferring device. It would improve security if that message goes to all devices imo.
In case someone has access to one of your devices just for a short time (or finds other ways to trick you), adds another second device and deletes the "Profile transferred" message on that device. From then you would never know that there is an additional device listening to all your chats.
Yes - if someone gets access to your device he just could make a backup and transfer it to anywhere but the add second device is very fast and convenient for that kind of attack.
And a fix is easy to implement, just send the success message to SELF chat instead of device messages in
core/src/imex/transfer.rs
Line 212 in a95bf77
Edit: the same applies for restore from backup