Messaging app Signal has been praised for its high levels of privacy and security. Unfortunately, a flaw in the Signal Mac desktop app seems to have been violating the app’s trademark levels of secrecy.
Signal is a service that lets you chat with friends in real time and promises to never store your data. The app uses end-to-end encryption to ensure your messages are protected from prying eyes. It also doesn’t store metadata about group chats, such as who’s chatting in the group or the group title.
Signal also allows you to set messages to self-destruct, destroying any evidence they were ever sent—unless you’ve got notifications enabled in the Signal Mac desktop app. With the app’s default settings in place, a security researcher noticed that these messages don’t actually disappear—they’ll persist on your computer’s notification bar indefinitely, including information such as who sent the message and its contents.
#HEADSUP: #Security Issue in #Signal. If you are using the @signalapp desktop app for Mac, check your notifications bar; messages get copied there and they seem to persist — even if they are "disappearing" messages which have been deleted/expunged from the app. pic.twitter.com/CVVi7rfLoY
— Alec Muffett (@AlecMuffett) May 8, 2018
Motherboard confirmed that messages sent and self-destructed within the app itself continue to live on in the macOS notifications bar. The problem here, for those concerned about true messaging privacy, is that this means this Signal message data is stored on your Mac’s hard drive. This information can then be recovered at a later time, even if the messages were deleted within the Signal app.
According to Objective-See’s chief research officer Patrick Wardle, this data is stored in a database accessible under normal user permissions. This leaves it vulnerable to access by hackers, malware, or forensic experts employed by government agencies. The Signal iOS app doesn’t seem to suffer from this issue, according to Wardle.
Thankfully, there is a fix for the problem: In the Signal Mac app’s settings menu, head to Notifications and then edit the settings underneath to either “Only sender name” or “Neither name nor message.” Alternatively, you can disable the desktop app’s notifications altogether—but that minimizes some of the app’s utility. This won’t remove messages that are already stored on your Mac’s hard drive but will prevent future messages from being preserved.
Whisper Systems, the company behind the Signal app, hasn’t commented on the discovery.
- How to get faster Wi-Fi
- Everything you wanted to know about how the internet works
- The best privacy screens to protect your monitor and laptop