SUMMARY NeoChat leaks the following metadata in the *public* device ID: - Hostname - OS name and version - CPU architecture This can be enough for bad actors (like stalkers, scammers and authoritarian governments) to deanonymize a user. This puts users who rely on Matrix for secure communication at risk. STEPS TO REPRODUCE 1. Log in with NeoChat OBSERVED RESULT Default device ID is: "NeoChat sysrq.in gentoo 2.14 x86_64" EXPECTED RESULT Default device ID is just "NeoChat" SOFTWARE/OS VERSIONS Operating System: Gentoo Linux 2.17 KDE Plasma Version: 6.2.3 KDE Frameworks Version: 6.7.0 Qt Version: 6.7.3 Kernel Version: 6.12.1-gentoo (64-bit) Graphics Platform: Wayland Processors: 8 × AMD FX-8320E Eight-Core Processor Memory: 11.6 ГиБ of RAM Graphics Processor: NVD9
Commit that introduced this privacy issue: https://invent.kde.org/network/neochat/-/commit/6b86c113f449056625916e24e251118d94f6251a
A possibly relevant merge request was started @ https://invent.kde.org/network/neochat/-/merge_requests/2032
Git commit 9d887ba3e726e024797684b9311bb1c793302470 by Carl Schwan, on behalf of Tobias Fella. Committed on 02/12/2024 at 15:50. Pushed by carlschwan into branch 'master'. Remove system information from device display name M +1 -2 src/login.cpp M +1 -4 src/registration.cpp https://invent.kde.org/network/neochat/-/commit/9d887ba3e726e024797684b9311bb1c793302470
Git commit 64c5ad88f6d0e1828114d945fb9269dd1fb8c160 by Carl Schwan. Committed on 02/12/2024 at 16:07. Pushed by carlschwan into branch 'release/24.12'. Remove system information from device display name (cherry picked from commit 9d887ba3e726e024797684b9311bb1c793302470) Co-authored-by: Tobias Fella <fella@posteo.de> M +1 -2 src/login.cpp M +1 -4 src/registration.cpp https://invent.kde.org/network/neochat/-/commit/64c5ad88f6d0e1828114d945fb9269dd1fb8c160