this post was submitted on 01 Dec 2025
6 points (100.0% liked)

Privacy

4353 readers
150 users here now

Welcome! This is a community for all those who are interested in protecting their privacy.

Rules

PS: Don't be a smartass and try to game the system, we'll know if you're breaking the rules when we see it!

  1. Be civil and no prejudice
  2. Don't promote big-tech software
  3. No apathy and defeatism for privacy (i.e. "They already have my data, why bother?")
  4. No reposting of news that was already posted
  5. No crypto, blockchain, NFTs
  6. No Xitter links (if absolutely necessary, use xcancel)

Related communities:

Some of these are only vaguely related, but great communities.

founded 1 year ago
MODERATORS
otter@lemmy.ca
shaytan@lemmy.dbzer0.com
6
My Android phone has apparently leaked the list of all the apps plus browsing history I've ever installed via DNS? (lemmy.dbzer0.com)
submitted 2 weeks ago by floquant@lemmy.dbzer0.com to c/privacy@lemmy.dbzer0.com
6 comments fedilink hide all child comments
 

I was checking my Pi-Hole and noticed a lone spike of 700+ requests coming from my phone (Android 16) this morning. Upon checking the logs, it's all bogus domains corresponding to package names of apps I have previously installed via the Play Store, but never on this phone.

Going further back in the query log, I realized it also includes the package name of an app I developed years ago but never published on the store, nor on this phone. There's also a whole bunch of my browsing history apparently, domains I haven't visited in years - from the age of some of them I'm pretty sure it's Chrome history, as I only used Firefox sync for a brief period and my local history is <1y.

What the actual fuck? This is a Nothing Phone 3a, updated to Android 16 just a couple of days ago.

top 6 comments
sorted by: hot top controversial new old
[–] napkin2020@sh.itjust.works 1 points 2 weeks ago

Wouldn't worry too much about it. Seems like it's trying to fetch favicons. If this is an attempt to get lists of installed apps, it's too complicated to be called an overcomplicated way.

[–] floquant@lemmy.dbzer0.com 1 points 2 weeks ago (2 children)

The very first domain at the start of the spike is pass-api.proton.me. I it could have been Proton Pass to leak the list of domains and apps I have an account for. Still I find that to be quite worrying, whether it was a bug or something else..

[–] orris@lemmy.world 2 points 2 weeks ago

Not used proton pass. Does it collect favicons by querying every host?

[–] Assassassin@lemmy.dbzer0.com 0 points 2 weeks ago (1 children)

Could it possibly be some background check for valid domain names for proton pass? I imagine there could be a benefit to checking that the URLs associated with saved entries are actually live.

If the goal was exfiltrating a list of the sites you use, they don't really need to do it via some weird DNS stuff, since you're already expecting traffic directed at the proton api. They could just transfer an encrypted text file and call it a day. Doing this makes a ton of noise that you'd want to avoid if you were doing something shady, so it must serve some kind of function.

[–] floquant@lemmy.dbzer0.com 0 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

But why would they do that from an end user's device instead of their servers? And what about the unresolvable package names?

I'm leaning more towards a bug than exfiltration at this point, but it is still a somewhat serious leak. The contents of proton pass are end to end encrypted and thus supposed to be confidential, while this has caused my whole vault to be leaked to public DNS servers via unencrypted UDP. If it was intentional, it's terrible design. Maybe some intern thought to have the client grab favicons.

[–] QuizzaciousOtter@lemmy.dbzer0.com 1 points 2 weeks ago* (last edited 2 weeks ago)

The contents of proton pass are end to end encrypted

That's precisely why they can't do the scan from their servers. They don't know the domains - they're decrypted only on your device.

this has caused my whole vault to be leaked to public DNS servers via unencrypted UDP

I feel like this is a tad dramatic. Surely, your vault contains more data, probably more sensitive, than just domain names.