That’s from my own experience. I had a self-hosted matrix server running with Dendrite, and the mautrix-whatsapp bridge running.
The bridge was running in puppeted mode, so upon synchronizing contacts, the bridge created “fake” users on the matrix server, one for each of my whatsapp contacts. The matrix username of these contacts is (by default) whatsapp_<phone_number>:domain.tld. And these users are visible (at least) by other users on the same server. It was my own instance and I was the sole user so I didn’t really care. But when a friend of mine wanted to try matrix, I created an account for him on the server, and when he joined, he could see all the fake whatsapp/telegram/discord users created by the bridge on the server. And as the default username includes the phone number, he basically had access to my whole phone contact list in real time.
https://github.com/matrix-org/synapse/issues/8969 This may be of interest- it’s basically the same thing. Seems that before that patch was merged, bridge-created puppet contacts would show up in searches.
Of course that’s for Synapse not Dendrite. So it sounds like Dendrite never applied that same functionality.
That’s from my own experience. I had a self-hosted matrix server running with Dendrite, and the mautrix-whatsapp bridge running. The bridge was running in puppeted mode, so upon synchronizing contacts, the bridge created “fake” users on the matrix server, one for each of my whatsapp contacts. The matrix username of these contacts is (by default)
whatsapp_<phone_number>:domain.tld. And these users are visible (at least) by other users on the same server. It was my own instance and I was the sole user so I didn’t really care. But when a friend of mine wanted to try matrix, I created an account for him on the server, and when he joined, he could see all the fake whatsapp/telegram/discord users created by the bridge on the server. And as the default username includes the phone number, he basically had access to my whole phone contact list in real time.Very interesting.
https://github.com/matrix-org/synapse/issues/8969 This may be of interest- it’s basically the same thing. Seems that before that patch was merged, bridge-created puppet contacts would show up in searches.
Of course that’s for Synapse not Dendrite. So it sounds like Dendrite never applied that same functionality.