A long-standing Signal encryption key vulnerability in the company’s desktop apps is finally being fixed. The fix will fully secure the Mac app, but the company will only be able to offer a compromise solution for the Windows version …
The Signal desktop apps for both Mac and Windows store messages in an encrypted SQLite database whose key is automatically generated by the app, without user involvement.
The problem is that the encryption key is stored on the machine in a local plain text file. Any malware able to read unencrypted local files could obtain the key, and therefore decrypt the messages.
Security researchers have been pointing to this vulnerability for at least six years, with Nathaniel Suchy calling for the database to instead be encrypted with a user password.
Signal inexplicably dismissed the calls, incorrectly claiming that someone would have to have gained full access to the Mac or Windows PC in order to read the key. That isn’t the case, as there are examples of malware able to read plain text files without having full authenticated access to the machine.
Things were quiet for six years until Elon Musk chimed in. He was community noted, and the company hit back, but he was backed up by mobile security researchers Talal Haj Bakry and Tommy Mysk.
Bleeping Computer reports that this has finally persuaded the company to fix the problem after a developer offered them a solution.
In April, an independent developer, Tom Plant, created a request to merge code that uses Electron’s SafeStorage API to further secure Signal’s data store from offline attacks.
“As a simple mitigation, I’ve implemented Electron’s safeStorage API to opportunistically encrypt the key with platform APIs like DPAPI on Windows and Keychain on macOS,” Plant explained in the merge request […]
A Signal developer finally replied that they implemented support for Electron’s safeStorage, which would be available soon in an upcoming Beta version.
Using Keychain on Mac fully secures the encryption key, while the Windows solution could still potentially be compromised by some malware, but will be significantly safer than now.
Photo by Erik Mclean on Unsplash
FTC: We use income earning auto affiliate links. More.
