The highly secure Signal messenger "secretly" saves the history and encryption keys in plain text
Illustration of thehackernews.com
Signal gained popularity after it became known as the “favorite messenger” of Edward Snowden . In 2015, he said that he used Signal daily to communicate with journalists.
The Signal messenger is positioned as a specially protected means of information exchange, which uses end-to-end encryption, which should exclude unauthorized access to the contents of the correspondence. However, as it turned out, there are situations when all efforts to encrypt Signal information are in vain.
Signal was initially available only as a mobile phone application, but convenience required a desktop version, which as a result appeared as an extensionfor chrome. Since the end of October 2017 , a new version of the offline application, independent of the browser, has become available to users . Since that moment, the extension for Chrome has received the status of end-of-life , and at the time of publication of this article the period of its support expires in less than a month. Here begins a sad story.
Do it once
Information security researcher Matthew Syush shared his discovery that one of the most secure crypto-messengers “planted” an impressive size to his users. The Signal messenger during the migration process from the Chrome extension to the full desktop client exports user messages to unencrypted text files.
Matthew Syush discovered this dangerous bug when working in macOS when updating Signal. Journalists of BleepingComputer went further and found out that the same exact problem manifests itself in Linux Mint.
When exporting conversations to disk, Signal creates separate folders named by name and phone number of contacts. All dialog content is stored in plain text JSON. The program does not display any warnings that the information is decrypted and saved to disk. This moment is the key to the threat of leakage of confidential data.
The worst thing in this situation is that unencrypted messages remain on the disk even after the upgrade is completed, and you have to delete them manually, if, of course, the user guesses at all ...
But this was not enough! The second problem in Signal Desktop was revealed by another researcher, Nathan Shochy.
Nathan Shochy learned that during the installation of Signal Desktop an encrypted db.sqlite database with an archive of user messages is created. The encryption key for the database is generated by the messenger without user interaction and is used every time you need to read the database with a message archive. Who would have thought that the key is stored locally and in clear text? This key can be found on the PC in the % AppData% \ Signal \ config.json file and on the Mac in ~ / Library / Application Support / Signal / config.json .
Do three, Signal blue flame burn!
Apparently, the problems with Signal do not end there. For example, another expert, Keith McCammon, indicates that Signal Desktop is not good at removing attachments from “disappearing” messages.
The “disappearing” messages feature was conceived by the Signal developers as an additional security layer, but in fact it does not work very reliably. According to McCammon, all attachments remain on the Signal users disk even after they should be deleted.
Only registered users can participate in the survey. Sign in , please.
Do you use Signal?
- 2.6% Yes, and I will not give up! 27
- 6.1% Tried, did not go 63
- 2.1% Used, but threw a long time 22
- 0.3% I use, but now I will give up 4
- 0.7% Just found out about Signal and start using 8
- 40.7% Just found out about Signal and don't plan on using it 416
- 5.7% Encrypting my Chats is not required 59
- 6.8% I am confused 70
- 34.4% I don’t use it, although I have known about it for a long time 351
Did you assume before reading this article that Signal locally stores correspondence in a weakly protected form?
- 1.9% Yes, I knew it and took all the necessary measures 5
- 5.3% Yes, I knew that, but I didn’t care 14
- 43.5% No, I did not know, and I was very excited 114
- 49.2% No, I did not know, but that did NOT scare me 129