Critical flaws in Desktop Session messenger

I’ve used Session messenger that’s recommended and it has two critical flaws:

  1. Link preview leaks your IP when pasting links
  2. The onion route can have the first and last hop before the destination be the same server IP.

After looking into the GitHub repo these problems have been raised quite some time ago, but the issues remain open:

In addition to this, all attachments that are sent are written to the disk if you’re in groups and everything in 1 on 1 conversations after accepting the first attachment. There’s no way to disable this either. Also the option to clear data doesn’t appear to shred it as far as I can tell.

I find other design decisions to be dubious but not as critical (i.e. the decision to remove PFS, and the logic behind their sybil resistance being that it’d be too expensive but would be budget rounding error for an APT targeting journalists) and just wanted to mention this too so everything is out there.

Has anyone else ran into these issues or have similar concerns?


I don’t use the desktop app all that much but I do find it massively annoying that the android app doesn’t work with bluetooth headphones for calls. Yes, calls are a beta feature… introduced in April 2022 (Hey, I just met you, and this is crazy: Calls beta release - Session Private Messenger). For me it demonstrates that their development is veeeerry slow even when it comes to basic functionality

1 Like

This is the correct way to handle link previews, and matches the behavior of all secure messengers (except Matrix?) AFAIK.

You should disable link previews if you are concerned about this, but the reasoning is that if you are pasting a link you’ve presumably already visited the website you’re linking to, so it’s something you’ve previously established a connection to.


Session shouldn’t just emulate the behavior of the other messengers. Unlike most other messengers, Session routes its messages through its anonymization network. In that context, I consider generating link previews via clearnet connections to be a leak, and I wonder if Session users are aware that happens. Session shouldn’t presume that the user has already visited the website let alone visited it using a clearnet connection.

Personally I hate the link previews function for this reason, so I just disable it in all my messenger clients.


Interesting, that is a good point.

Generally link previews are better disabled as it just adds additional attack surface.

1 Like

I think PG should recommend disabling it, it is not even mentioned in the Quarkslab audit.

Source for this claim? I didn’t test it, but search on their Github issues and didn’t find any relevant info.