Vulnerability found on Signal Desktop Messenger and What you can do

According to a recent post by the latest hacking news, a vulnerability was just found for signal messenger desktop app. This was made known by Nathaniel Suchy on Twitter.  The critical flaw in the Signal Desktop client allegedly leaves messages vulnerable to hacking. As explained on twitter by them, the vulnerability exists because of a feature that requires decryption key every time it opens the database. Therefore, they don’t really encrypt the decryption key.

.@signalapp stores your messages in an encrypted SQLite database on your local hard drive – luckily they don’t encrypt the key so messages are easily accessable 🙂 #pwned #bugbounty #fulldisclosure #infosec pic.twitter.com/ylsegJICJP

— Nathaniel Suchy (@nathanielrsuchy) October 23, 2018

What is signal messenger

Signal messenger is a popular secure messaging platform known for its secure message encryption techniques which is seen vastly in its features. According to BestVPN blog which describes Signal in its perfect light. Also, what makes it the best secure messaging platform. BestVPN says ‘Signal messenger is widely regarded as the most secure and private way to communicate over distance yet devised. Signal is the brainchild of privacy legend Moxie Marlinspike.’ It’s simplicity and secure features makes it easier for people to replace the in built sms platforms or the popular Whatsapp messenger app, for it. The conversations or messages that are done from between two users of signal  are sent over the internet,  across various tunnels and protected by very strong end-to-end encryption keys.

What makes signal messenger secure

It’s end-to-end encryption: This feature of signal makes it difficult for unautorized recipients of a message to view or modify a message that has been sent via signal.  for. How does this happen? Well, signal ensures all messages are encrypted before being delivered to the receiver and only the authorized recipient can decrypt it. Signal also provides a strong encryption process for all messages that are stored making it twice as difficult to decrypt But, just remember that messages sent to non-Signal users are not secure!

Vulnerability found on Signal Messenger Desktop

In explaining how this vulnerability works, Bleeping computers shared this:

“When Signal Desktop is installed, it will create an encrypted SQLite database called db.sqlite. This is used to store the user’s messages. The encryption key for this database is automatically generated by the program when it is installed without any interaction by the user. As the encryption key will be required each time Signal Desktop opens the database. It will store it in plain text to a local file called %AppData%\Signal\config.json on PCs and on a Mac at ~/Library/Application Support/Signal/config.json”

And that’s what makes the function a vulnerability. Anyone having physical access to the computer can open the plain text file to find the decryption key. The attacker may then use this key to open up the SQLite database. Hence, he can easily access the entire app contents.

Regarding a Patch for Signal Messenger Vulnerability

They disclosed the findings on Twitter where they also stated that they couldn’t contact Signal privately.

https://twitter.com/nathanielrsuchy/status/1054878252546830336

We are not sure when this bug would be fixed but we advice all users to be careful when using their signal desktop app.

What to do while signal desktop messenger awaits patching

1. Make sure you’re only connected to trusted networks when connecting to signal desktop app
2. Never leave your computer unattended, if you must make sure signal messenger is signed out completely.
3. Auto lock your system when not in use

If you have more suggestions or comments, please feel free to drop them below.