According to a recent post by the latest hacking news, a vulnerability was just found for signal messenger desktop app. This was made known by Nathaniel Suchy on Twitter. The critical flaw in the Signal Desktop client allegedly leaves messages vulnerable to hacking. As explained on twitter by them, the vulnerability exists because of a feature that requires decryption key every time it opens the database. Therefore, they don’t really encrypt the decryption key.
What is signal messenger
Signal messenger is widely regarded as the most secure and private way to communicate over distance yet devised. The brainchild of privacy legend Moxie Marlinspike, Signal replaces your default SMS messenger app, making it almost seamless to use.
Signal is primarily a secure and open source messaging app that replaces your Android phone or iPhone’s regular SMS app. Messages to and from other Signal users are sent over the internet and protected by very strong end-to-end encryption.
What makes signal messenger secure
Signal uses end-to-end encryption:All secure Signal messages are encrypted on your phone before being sent, and can only be decrypted by the intended recipient(s).
Even then, Signal includes the option to encrypt all stored messages, which make it impossible to access them unless the phone owner can somehow be coerced into revealing their passcode.
This removes the need to trust any third party to keep your data safe, and no third party can access the messages in transit. The only way for an adversary to access messages sent by Signal is if it has direct physical access to your or the recipient’s phone.
But, just remember that messages sent to non-Signal users are not secure!
Vulnerability found on Signal Messenger Desktop
In explaining how this vulnerability works, Bleeping computers shared this:
“When Signal Desktop is installed, it will create an encrypted SQLite database called db.sqlite. This is used to store the user’s messages. The encryption key for this database is automatically generated by the program when it is installed without any interaction by the user. As the encryption key will be required each time Signal Desktop opens the database. It will store it in plain text to a local file called %AppData%\Signal\config.json on PCs and on a Mac at ~/Library/Application Support/Signal/config.json”
And that’s what makes the function a vulnerability. Anyone having physical access to the computer can open the plain text file to find the decryption key. The attacker may then use this key to open up the SQLite database. Hence, he can easily access the entire app contents.
Regarding a Patch for Signal Messenger Vulnerability
They disclosed the findings on Twitter where they also stated that they couldn’t contact Signal privately.
We are not sure when this bug would be fixed but we advice all users to be careful when using their signal desktop app.
What to do while signal desktop messenger awaits patching
- Make sure you’re only connected to trusted networks when connecting to signal desktop app
- Never leave your computer unattended, if you must make sure signal messenger is signed out completely.
- Auto lock your system when not in use
If you have more suggestions or comments, please feel free to drop them below.