Signal’s desktop app stores encryption keys for chat history in plaintext, making them accessible to any process on the system
Researchers were able to clone a user’s entire Signal session by copying the local storage directory, allowing them to access the chat history on a separate device
This issue was previously highlighted in 2018, but Signal has not addressed it, stating that at-rest encryption is not something the desktop app currently provides
Some argue this is not a major issue for the “average user”, as other apps also have similar security shortcomings, and users concerned about security should take more extreme measures
However, others believe this is a significant security flaw that undermines Signal’s core promise of end-to-end encryption
A pull request was made in April 2023 to implement Electron’s safeStorage API to address this problem, but there has been no follow-up from Signal
“checking” does not prevent anything bad from happening. and if that file were read by a malicious actor, it would likely be immediate and you’d never even notice.
If the keys are accessible to any process, your system doesn’t need to be compromised. All it takes is an App that you”trust” to break that trust and snatch everything up. Meta has already been caught fucking around with other social media apps on device. They even intercepted Snapchat traffic on some users devices in order to collect that data. It could be as simple as you installed WhatsApp and they went and pillaged your Signal files.
For sure, just suggesting that “compromised” doesn’t necessarily mean you got hacked by someone because they tricked you into giving a password, or they scraped it from another website, or you installed something sketchy. It could be as simple as Microsoft scans all your files with AI, or Meta snoops other social media (which it has been caught doing).
Summary:
Thanks ChatGPT.
Oh wow that’s quite a red flag ngl
Why? They would need access to the device
If your system is compromised to such an extend, it really doesn’t make much difference how the keys are stored at rest.
But my system is not compromised?
How do you know?
Because I check my system and I don’t even use Signal?
“checking” does not prevent anything bad from happening. and if that file were read by a malicious actor, it would likely be immediate and you’d never even notice.
Did you see that I said “I don’t use Signal”?
Did you read the article?
If the keys are accessible to any process, your system doesn’t need to be compromised. All it takes is an App that you”trust” to break that trust and snatch everything up. Meta has already been caught fucking around with other social media apps on device. They even intercepted Snapchat traffic on some users devices in order to collect that data. It could be as simple as you installed WhatsApp and they went and pillaged your Signal files.
I get what you’re trying to say, but that’s something I’d classify as “compromised” as well.
For sure, just suggesting that “compromised” doesn’t necessarily mean you got hacked by someone because they tricked you into giving a password, or they scraped it from another website, or you installed something sketchy. It could be as simple as Microsoft scans all your files with AI, or Meta snoops other social media (which it has been caught doing).
So you’re saying that the os itself is compromised? Gee, good luck protecting your processes from the fucking os, no matter how you do it.