> you would be surprised how quickly this adds up

Yes, but if social engineering is involved and tracing back through user conversations across a platform, it's hardly a vulnerability, let alone one deserving of a bounty. The way this is currently functioning is intended functionality, and can be further locked down depending on the user's threat model.

This can essentially be classified as opsec failure for the Signal user. If they're trying to hide from a hit in a 300 mile radius, they've got bigger problems to worry about, and should already be using a VPN setup.

Every time you click on a link your external IP addresses is exposed, is this a vulnerability? Being online without a VPN / proxy is inherent consent to have your external IP & other required items to be shared with services / middlemen.

When it comes to Discord, if you have this strict of a threat model and you're still using it, idk what to tell you.

This is all the classic dismissals of security issues, including blaming the user.

> opsec failure for the Signal user

Signal's mission is to provide security for users who don't know the word 'opsec'.

Blaming the user is sometimes what it boils down to. Security includes a balancing act that involves usability, and Signal is firstly targeting the masses, but includes settings that can be configured for high-risk scenarios.

This "vulnerability" requires the user to have none of the normal things a person with a more extreme threat model would have already configured. EZPZ guides online on locking down Signal.

It's just like an iPhone. They don't ship with Lockdown Mode enabled by default, as it hurts the average consumer's usability. Signal at minimum will ensure no one is snooping on your messages, and it's up to the user whether they want to take that further.

If your definition of not providing security is allowing someone to know they exist on a continent, then that user's ISP has performed terribly as well since they aren't bouncing their signal around the world by default.

> Blaming the user is sometimes what it boils down to.

At least we agree about your argument. :)

> Signal at minimum will ensure no one is snooping on your messages, and it's up to the user whether they want to take that further.

Signal also secures metadata, including the participants in the conversation. That is undeniable - they have gone through considerable development investment to provide that feature.

> that user's ISP has performed terribly

Now we're blaming the ISP. If your app doesn't work with your users and ISPs, who does it work for? And how does a non-technical end-user know whether or when to trust you?

If I can send you a link and be guaranteed that you click on it. Then that’s definitely a security issue.

Then it's a good thing that this isn't being claimed

The comment says: Every time you click on a link your external IP addresses is exposed, is this a vulnerability? Being online without a VPN / proxy is inherent consent to have your external IP & other required items to be shared with services / middlemen.

The fact that a user's IP is exposed when they click on a link is only relevant to the original post if a user would do this automatically and without realizing. The original post alleges that they can send someone a message on Signal and have the user automatically and somewhat unknowingly load a resource from a server. Sure, the author doesn't claim they have much control over the resource or the server, but they do show how you can check which server the user accessed and how that leaks information about the location of the user to a certain extent.

> When it comes to Discord, if you have this strict of a threat model and you're still using it, idk what to tell you.

I mean, you just never know... I've seen a lot of wild things, I've seen what drives people to doing crazy things. Just look up the "Deadly Runescape E Dater" who flew from the US to the UK to stab the girl he e-dated.