SimpleX Chat Leaking User IPs

MykaScoff · June 5, 2025, 3:12am

SimpleX Chat doesn’t take any action to protect your IP from prying eyes. Take a look for yourself:

protocol/overview-tjr.md

stable

Revision 2, 2024-06-22

Evgeny Poberezkin

# SimpleX: messaging and application platform

## Table of contents

- [Introduction](#introduction)
  - [What is SimpleX](#what-is-simplex)
  - [SimpleX objectives](#simplex-objectives)
  - [In Comparison](#in-comparison)
- [Technical Details](#technical-details)
  - [Trust in Servers](#trust-in-servers)
  - [Client -> Server Communication](#client---server-communication)
  - [2-hop Onion Message Routing](#2-hop-onion-message-routing)
  - [SimpleX Messaging Protocol](#simplex-messaging-protocol)
  - [SimpleX Agents](#simplex-agents)
  - [Encryption Primitives Used](#encryption-primitives-used)
- [Threat model](#threat-model)

This file has been truncated. show original

SimpleX Messaging Protocol Server can: … learn a recipient’s IP address, track them through other IP addresses they use to access the same queue, and infer information (e.g. employer) based on the IP addresses, as long as Tor is not used.

More Cases of IP Exposure

This isn’t the only case of SimpleX leaking user IPs when sending a link:

github.com/simplex-chat/simplex-chat

Simplex link previews connects directly to the website when sending links, switch to using SOCKS proxy.

opened 01:10PM - 31 Oct 24 UTC

StuartLitt

enhancement

### Is there an existing issue for this? - [X] I have searched the existing iss…ues ### Platform Android ### OS version Android 12 ### App version 6.1.1 F-Droid ### Current Behavior Proxy enable ![Screenshot_20241031-094615](https://github.com/user-attachments/assets/c6e293af-dc45-4a9c-a903-005aa2bc2fb1) Preview link enable ![Screenshot_20241031-095148](https://github.com/user-attachments/assets/d034ec50-3ca7-48ba-9abb-54f19e2c16f4) Test leak ![Screenshot_20241031-094717](https://github.com/user-attachments/assets/28cbe8f8-de49-4166-b750-4457d759b1c7) Leak detected using RethinkDNS ![Screenshot_20241031-094809](https://github.com/user-attachments/assets/ed6c0cc8-2f85-4481-b8e3-8fe0f7ce60b9) ### Expected Behavior There should be no IP leak, this is a loophole for them to invade your device with zero click, and your network provider and hackers can know the metadata of the conversations. ### Steps To Reproduce 1. Download RethinkDNS 2. Enable Proxy in SimpleX 3. Enable RethinkDNS 4. Send link to SimpleX 5. Leak detected using RethinkDNS ### Relevant log output _No response_

Thankfully, SimpleX’s founder, Evgeny Poberezkin, addressed the issue. However, instead of acknowledging it as a privacy flaw, he labeled it a feature, not a bug:

Given that it is a documented behaviour, it is certainly not a bug, and it is also incorrect to call it a leak - every server you connect to, be it you ISP, VPN provider or Tor relay, can see your IP address, as this is how Internet works.

Instead of resolving the issue, SimpleX suggests users take extra steps to mitigate the risk themselves, such as:

- Using a VPN.
- Disabling link previews manually in settings.

But as one commenter pointed out:

It is important to state that no other messaging app that we know of considers this a non-issue. Not even Discord or Matrix - both ask a fully (Discord) or semi (Matrix)-trusted server to do the network request on behalf of the client.

Strange Justifications for Avoiding Tor Integration

SimpleX further avoids integrating Tor, claiming:

The last, but not the least, it would create an unfair competitive advantage to Tor. We believe in competition, and we want our users to be able to choose which transport overlay network to use, based on what network threat model works best for them.

Rather than embedding Tor, they expect users to set up Orbot manually, arguing that if users can’t manage this, they shouldn’t be using Tor at all.

At this point, users might be better off using Facebook Messenger with PGP keys.

Dismissive Responses to Security Concerns

When users raise concerns, responses often feel dismissive:

https://www.reddit.com/r/SimpleXChat/comments/19efalx/can_i_really_pull_other_peoples_ip_addresses

More comprehensive criticism of SimpleX’s privacy weaknesses:

Examples of user concerns being brushed aside:

Additional Concerns

The company is based in London.
The project has received funding from Jack Dorsey.

Another discussion highlighting these and other issues:
https://kiwifarms.st/threads/simplex-chat-discussion.203000/

Conclusion

I don’t trust SimpleX to protect my IP address. Their dismissive attitude toward privacy concerns raises suspicion.

c0mmando · June 10, 2025, 2:08am

if you’re using an online messenger of any kind and you have any expectation of privacy, then you should probably be using vpns and tor…

you shouldn’t be putting any trust in any entity to protect your IP address for you…

this smells like FUD