this post was submitted on 01 Dec 2025
71 points (98.6% liked)

Privacy

4334 readers
42 users here now

Welcome! This is a community for all those who are interested in protecting their privacy.

Rules

PS: Don't be a smartass and try to game the system, we'll know if you're breaking the rules when we see it!

  1. Be civil and no prejudice
  2. Don't promote big-tech software
  3. No apathy and defeatism for privacy (i.e. "They already have my data, why bother?")
  4. No reposting of news that was already posted
  5. No crypto, blockchain, NFTs
  6. No Xitter links (if absolutely necessary, use xcancel)

Related communities:

Some of these are only vaguely related, but great communities.

founded 1 year ago
MODERATORS
otter@lemmy.ca
shaytan@lemmy.dbzer0.com
71
My Android phone has apparently leaked the list of all the apps plus browsing history I've ever installed via DNS? (lemmy.dbzer0.com)
submitted 1 week ago by floquant@lemmy.dbzer0.com to c/privacy@lemmy.dbzer0.com
12 comments fedilink hide all child comments
 

I was checking my Pi-Hole and noticed a lone spike of 700+ requests coming from my phone (Android 16) this morning. Upon checking the logs, it's all bogus domains corresponding to package names of apps I have previously installed via the Play Store, but never on this phone.

Going further back in the query log, I realized it also includes the package name of an app I developed years ago but never published on the store, nor on this phone. There's also a whole bunch of my browsing history apparently, domains I haven't visited in years - from the age of some of them I'm pretty sure it's Chrome history, as I only used Firefox sync for a brief period and my local history is <1y.

What the actual fuck? This is a Nothing Phone 3a, updated to Android 16 just a couple of days ago.

top 12 comments
sorted by: hot top controversial new old
[–] floquant@lemmy.dbzer0.com 22 points 1 week ago (2 children)

The very first domain at the start of the spike is pass-api.proton.me. I it could have been Proton Pass to leak the list of domains and apps I have an account for. Still I find that to be quite worrying, whether it was a bug or something else..

[–] Assassassin@lemmy.dbzer0.com 21 points 1 week ago (1 children)

Could it possibly be some background check for valid domain names for proton pass? I imagine there could be a benefit to checking that the URLs associated with saved entries are actually live.

If the goal was exfiltrating a list of the sites you use, they don't really need to do it via some weird DNS stuff, since you're already expecting traffic directed at the proton api. They could just transfer an encrypted text file and call it a day. Doing this makes a ton of noise that you'd want to avoid if you were doing something shady, so it must serve some kind of function.

[–] floquant@lemmy.dbzer0.com 5 points 1 week ago* (last edited 1 week ago) (2 children)

But why would they do that from an end user's device instead of their servers? And what about the unresolvable package names?

I'm leaning more towards a bug than exfiltration at this point, but it is still a somewhat serious leak. The contents of proton pass are end to end encrypted and thus supposed to be confidential, while this has caused my whole vault to be leaked to public DNS servers via unencrypted UDP. If it was intentional, it's terrible design. Maybe some intern thought to have the client grab favicons.

[–] QuizzaciousOtter@lemmy.dbzer0.com 19 points 1 week ago* (last edited 1 week ago)

The contents of proton pass are end to end encrypted

That's precisely why they can't do the scan from their servers. They don't know the domains - they're decrypted only on your device.

this has caused my whole vault to be leaked to public DNS servers via unencrypted UDP

I feel like this is a tad dramatic. Surely, your vault contains more data, probably more sensitive, than just domain names.

[–] Assassassin@lemmy.dbzer0.com 10 points 1 week ago

I mean no offense, but I think you might be being a tad paranoid on this one. There really isn't much that can be done with a list of sites you've saved credentials for once. If it was your most visited sites, I guess you would maybe be slightly more vulnerable to spear phishing. But just a bulk blast of sites over DNS doesn't really tell anyone anything, it just looks like normal-ish DNS traffic.

[–] orris@lemmy.world 18 points 1 week ago (2 children)

Not used proton pass. Does it collect favicons by querying every host?

[–] Assassassin@lemmy.dbzer0.com 11 points 1 week ago

This seems like the most likely answer

[–] stankmut@lemmy.world 7 points 1 week ago

There is a setting called "Use Web Icons" in the app that I would guess is linked to this.

[–] napkin2020@sh.itjust.works 9 points 1 week ago

Wouldn't worry too much about it. Seems like it's trying to fetch favicons. If this is an attempt to get lists of installed apps, it's too complicated to be called an overcomplicated way.

[–] Lodespawn@aussie.zone 6 points 1 week ago

I assume your upstream DNS provider is privacy focused and keeps no logs yeah? Unless someone is logging all your packet meta data (looking at you five eyes governments) possibly not a big drama ..

[–] Aussiemandeus@aussie.zone -5 points 1 week ago (1 children)

There's no privacy in anything when it can be sold

[–] Typhoon@lemmy.ca 2 points 1 week ago

Agreed. As long as there is an incentive for people to spy they will spy. This is why we need strong privacy legislation. Privacy is a right.