In Signal for Android version 5.17.3, bug due to which the application sometimes sent random images from the gallery to contacts was fixed. The problem was noticed back in December 2020, however, given the difficulty of reproducing the bug, it took more than half a year to release the patch.
The bug manifested itself very simply: when sending an image to one of the contacts, person sometimes receives not only the selected image, but also several random ones, which the sender was not going to send.An example of such a situation can be seen in the screenshots below: the user sent one GIF to the interlocutor, and received several images at once.
Rob Connolly first noticed the problem and reported on GitHub, and his findings were soon confirmed by other users. Connolly even suspected that the error could be related to the transmission of messages from another contact of the recipient or an unknown third party, but, fortunately, he turned out to be wrong.
Signal developers immediately requested logs from users to fix the problem, but it took six months to create the patch, which caused discontent in the community.
Another user, Adrian Ostrowski, wrote that a similar mistake generally made it impossible to share images confidentially through Signal.
Signal Android developer Grayson Parrelli responded to criticism on YCombinator Hacker News, where he talked about the technical details of the bug, as well as how the bug was not easy to detect:
Let me remind you that we wrote that Vulnerabilities in Signal, Google Duo and Facebook Messenger allowed spying on users.
