I got files from someone I don't know without sharing anything to this person

Hi,

Today, I saw notifications from Windows regarding the synchronization of my OpenCamera folder, while I wasn’t taking any pictures with my phone. So I looked it up and found pictures from someone that I don’t know at all. I have some of his screenshots, pictures of him with his two children, of the family in a church, of his cat, etc. I shut down Syncthing immediately. I only have a two-way synchronization from my computer to my smartphone, and another from my computer to my laptop, nothing else.

I don’t know what happened, but my trust in the soft is gone…

Bests regards,

Strix

This isn’t really possible to happen without adding another device (which requires user consent) or impersonating one of your devices by using the same key files (see https://docs.syncthing.net/users/config.html). Is there any chance that someone may have copied your key files in one way or another?

Please post screenshots showing the Syncthing Web GUI on all affected devices. On the phone, you can access it from the left slide-out menu. Please make sure all your folders and remote devices are displayed on the screenshots.

Edit: Please also make sure your Syncthing Web GUI is either set to connect only using localhost or 127.0.0.0. Alternatively, if you’ve got it set to 0.0.0.0 for remote access, make sure it’s protected with a username and a strong and complicated password.

I don’t think anyone had access to my key files, but one cannot be sure he’s been hacked these days. As you can see on my screenshots, it appears the Web GUI is not set to what you suggested, but I didn’t change it myself either, and it mentions something about startup options. What does that mean ?

The startup options warning is related to using SyncTrayzor. Normally, it’s nothing to worry about.

Your remote device list seems to be very different on each device.

  1. DESKTOP-0D7KTJE - FP3, Win portable Loic
  2. DESKTOP-FFRTMH - Win fixe Loic
  3. Phone - Syncthing Central

Are these the same devices with different names or are there any devices here that you don’t recognise?

I recognize all of them :

  • DESKTOP-0D7KTJE = Syncthing Central = Win fixe Loic
  • DESKTOP-FFRTMH = Win portable Loic
  • Phone = FP3

Can you please upload log files from all devices?

On Windows, you can find them in %LOCALAPPDATA%\Syncthing (copy and paste this into the address field in Explorer). On Android, it is stored in Android/data/com.nutomic.syncthingandroid on the internal storage, but if you’ve restarted Syncthing or the app in between, the original logs won’t be available anymore.

Please be aware that the logs do contain possibly private information, such as device and folder names, full file paths, etc.

Also, can you list some examples of the filenames that have got sync with your devices that you don’t recognise? They’re needed, so that we can do a search for them in the logs and try to find out where they’ve come from.

Strix - List of files I don’t own.txt (6.4 KB) Strix - Syncthing logs from computer.txt (3.4 MB)

Strix - Syncthing logs from laptop.txt (3.7 MB) Strix - Syncthing logs from smartphone.log (5.3 KB)

Here they are. I used the Search & Replace tool of Microsoft Word to replace my lastname and firstname by ZZZ in the logs. The list of files I don’t own list all the files I received (I used dir command in cmd to get that).

I’m sorry for a late reply, but I’ve checked the logs now, and there doesn’t seem to be anything related to the files in question there. I’m not an expert though, so maybe if someone more knowledgeable could have a look at them, they may be able to find some clues. The only thing that looks a little concerning to me is a very large number of lines as follows.

[ISFCK] 22:24:00 INFO: Connected to already connected device F52O4VE-4PZYDJ5-BK7CEFP-XUVTBK6-VF5N4MN-CRZPYRQ-NT3WO52-ZBSITQJ (existing: [::]:22000-62.210.123.100:11960/quic-client/TLS1.3-TLS_CHACHA20_POLY1305_SHA256 new: [::]:22000-62.210.123.100:11960/quic-server/TLS1.3-TLS_CHACHA20_POLY1305_SHA256)

These do occur more or less often depending on the network configuration, but you seem to have quite a lot of them in the logs.

At this point though I can only suggest to reset Syncthing device IDs to something completely new and reconnect the devices from scratch. This can be done easily by shutting Syncthing down and deleting the two key files listed under https://docs.syncthing.net/users/config.html. This way you will eliminate any possibility that someone impersonates one of your current devices.

Hi Tomasz86,

I’ve found the root of the issue. I did not mention it, but I’m using a fork of Android on my smartphone called eOS, and with it came a drive storage. On Sunday May 29th, while migrating their cloud system, the eOS team accidentally created a bug with authentication, leading to several users receiving files from other users. To be honest, I never configured the drive myself, so I didn’t know it was synchronizing a folder Syncthing was already taking care of.

Thank you so much for your help and reactivity,

Strix

Glad that you’ve found the culprit (and that it wasn’t Syncthing!). This sounds like quite a massive security issue in itself though. Apart from the obvious individual, private pictures, people also take copies of various documents (e.g. work/government-related) that may contain confidential information. I hope none of your data had been leaked in a similar way.

Yes, my trust in Syncthing has been restored! Thankfully, I don’t have any sensible document on my smartphone, except for my KeePass database… I’ve changed the master password et I’m changing the passwords of my email addresses. I always wanted to get myself a Fido2 key for double authentication purpose, I guess it’s time now.