Skip to main content

Signal encryption key vulnerability being fixed on Mac (and less fully on Windows)

Avatar for Ben Lovejoy  | Jul 12 2024 - 7:08 am PT
0 Comments
Signal encryption key vulnerability on Mac | Close-up of MacBook Pro keyboard

A long-standing Signal encryption key vulnerability in the company’s desktop apps is finally being fixed. The fix will fully secure the Mac app, but the company will only be able to offer a compromise solution for the Windows version …

The Signal desktop apps for both Mac and Windows store messages in an encrypted SQLite database whose key is automatically generated by the app, without user involvement.

The problem is that the encryption key is stored on the machine in a local plain text file. Any malware able to read unencrypted local files could obtain the key, and therefore decrypt the messages.

Security researchers have been pointing to this vulnerability for at least six years, with Nathaniel Suchy calling for the database to instead be encrypted with a user password.

Signal inexplicably dismissed the calls, incorrectly claiming that someone would have to have gained full access to the Mac or Windows PC in order to read the key. That isn’t the case, as there are examples of malware able to read plain text files without having full authenticated access to the machine.

Things were quiet for six years until Elon Musk chimed in. He was community noted, and the company hit back, but he was backed up by mobile security researchers Talal Haj Bakry and Tommy Mysk.

Bleeping Computer reports that this has finally persuaded the company to fix the problem after a developer offered them a solution.

In April, an independent developer, Tom Plant, created a request to merge code that uses Electron’s SafeStorage API to further secure Signal’s data store from offline attacks.

“As a simple mitigation, I’ve implemented Electron’s safeStorage API to opportunistically encrypt the key with platform APIs like DPAPI on Windows and Keychain on macOS,” Plant explained in the merge request […]

A Signal developer finally replied that they implemented support for Electron’s safeStorage, which would be available soon in an upcoming Beta version.

Using Keychain on Mac fully secures the encryption key, while the Windows solution could still potentially be compromised by some malware, but will be significantly safer than now.

Photo by Erik Mclean on Unsplash

Add 9to5Mac to your Google News feed. 

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Mac on YouTube for more Apple news:

Comments

Guides

Mac

Mac

Apple’s Mac lineup consists of MacBook, MacBoo…
Privacy

Privacy

Privacy is a growing concern in today's world. F…
Security Signal

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear

Dell 49-inch curved monitor

Dell 49-inch curved monitor

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications