Is it unsafe to use syncthing on a potentially compromised/infected device

I have a few friends I want to share files with, although I don’t really trust that their ‘security standards’ meet my degree of paranoia, and in the case that one of them gets infected with ‘something’, I wanna know if I should worry about it spreading over syncthing

Obviously it could just copy something to the syncthing folder, but I’m not super worried about that because we share files that are kinda hard to spread something across (markdown, image, video, all for obsidian notes… At least I don’t think anything can spread easily across that, although if there is something please do tell)

However (assuming that the malware or person knows how to take advantage of syncthing) is there something that their device could send or do now that they have my friends side of the Syncthing “keys” (or whatever syncthing uses to authenticate other devices) that could cause harm to my system (without having to have me run an executable or do something stupid), that doesn’t include just deleting the stuff in my syncthing folder (and only my syncthing folder)

dont know if it matters, but:

Syncthing version: v1.23.1, Linux (64-bit Intel/AMD)

Their system OSes: Windows (dont know the specific verson) + MacOS (dont know the specific version) + some that use Linux Fedora Workstation (dont know specific version)

My system OS: Linux Debian Bullseye

Well, there are always ways to get around anything. For example, there are various types of (Windows) filetype spoofing mechanisms (such as this one, for Windows) to make stuff look like a text file, a PDF, an image etc. while actually being a script/executable. Linux doesn’t really use file extensions, so any file can be anything and it all depends on your interpreter.

An attacker that is able to write arbitrary files to your system (even if restricted to a folder is always associated with some amount of risk. Whether that’s acceptable is up to you, but I personally wouldn’t loose too much sleep about this.

In terms of syncthing, there are no known full-system-access exploits or anything like that. Syncthing devices are restricted to the folders shared with them and new folders or devices still have to be accepted by you (unless configured otherwise, auto-accept/introducer features). An attacker controlling a syncthing device can read and write to all shared folders, but not more. DOS-style attacks are potentially possible (i.e. some sort of disk space exhaustion until syncthing stops automatically).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.