An issue with Mac computers sees Signal’s encryption compromised.
Many privacy-conscious individuals, activists and security experts use Signal daily to communicate privately.
The app’s encryption technology, developed by Open Whisper Systems, has been lauded in the security industry, but a recent issue points to a problem with the desktop version of the app on Mac machines.
A particularly popular feature of Signal’s is its ability to send disappearing messages within the app, leaving no trace or digital record of said messages. In theory, great. However, on a Mac, messages from contacts appear and remain on the notification bar of the OS, even if they are set to self-destruct.
The notifications also include the name of the sender and the content of the message, according to Motherboard. These notifications appear when Signal is running in the background of a machine. When it is actively used, no notifications are sent at all.
The issue was spotted first by security researcher Alec Muffett, who tweeted a screenshot of so-called ‘disappearing messages’ on his notifications bar. He told Motherboard he had concerns about the location of this data within macOS, as well as whether it is cached or could possibly be recovered.
#HEADSUP: #Security Issue in #Signal. If you are using the @signalapp desktop app for Mac, check your notifications bar; messages get copied there and they seem to persist — even if they are "disappearing" messages which have been deleted/expunged from the app. pic.twitter.com/CVVi7rfLoY
— Alec Muffett (@AlecMuffett) May 8, 2018
Mac security researcher Patrick Wardle found that the data is stored on the disk inside the OS and it can also be recovered at a later date, even if the messages are no longer in the Signal app. He noted that the messages end up in an SQLite database, which is accessible with normal user credentials and permissions. This basically means anyone with the know-how can bypass the full disk encryption and dredge up the messages.
Wardle said: “Anything that gets displayed as a notification (yes, including ‘disappearing’ Signal messages) in the macOS notification centre is recorded by the OS,” Wardle wrote in a blogpost. “If the application wants the item to be removed from the notification centre, it must ensure that the alert is dismissed by the user or programmatically.”
How do I fix this?
While this may not be a pressing concern for regular users of the Signal app, activists, journalists and others should adjust their settings in the Signal desktop app. In the notifications section, simply choose the option ‘Neither name nor message’ or ‘Only sender name’.
This simple fix ensures content remains on the app and won’t make its way to the notifications bar of your computer. Messages that appeared as a notification prior to applying the fix still need to be wiped from your device.
Signal and Apple have not yet responded to the findings but, so far, Signal for iOS does not appear to have the same problem.