Skip to main content

Signal encryption key vulnerability being fixed on Mac (and less fully on Windows)

A long-standing Signal encryption key vulnerability in the company’s desktop apps is finally being fixed. The fix will fully secure the Mac app, but the company will only be able to offer a compromise solution for the Windows version …

The Signal desktop apps for both Mac and Windows store messages in an encrypted SQLite database whose key is automatically generated by the app, without user involvement.

The problem is that the encryption key is stored on the machine in a local plain text file. Any malware able to read unencrypted local files could obtain the key, and therefore decrypt the messages.

Security researchers have been pointing to this vulnerability for at least six years, with Nathaniel Suchy calling for the database to instead be encrypted with a user password.

Signal inexplicably dismissed the calls, incorrectly claiming that someone would have to have gained full access to the Mac or Windows PC in order to read the key. That isn’t the case, as there are examples of malware able to read plain text files without having full authenticated access to the machine.

Things were quiet for six years until Elon Musk chimed in. He was community noted, and the company hit back, but he was backed up by mobile security researchers Talal Haj Bakry and Tommy Mysk.

Bleeping Computer reports that this has finally persuaded the company to fix the problem after a developer offered them a solution.

In April, an independent developer, Tom Plant, created a request to merge code that uses Electron’s SafeStorage API to further secure Signal’s data store from offline attacks.

“As a simple mitigation, I’ve implemented Electron’s safeStorage API to opportunistically encrypt the key with platform APIs like DPAPI on Windows and Keychain on macOS,” Plant explained in the merge request […]

A Signal developer finally replied that they implemented support for Electron’s safeStorage, which would be available soon in an upcoming Beta version.

Using Keychain on Mac fully secures the encryption key, while the Windows solution could still potentially be compromised by some malware, but will be significantly safer than now.

Photo by Erik Mclean on Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications