After years of criticism regarding how it stored plain text encryption keys, secure messaging app Signal has finally addressed a long-standing security flaw in its desktop client (via Bleeping Computer).
Back in 2018, it was reported that Signal Desktop for Windows and Mac created an encrypted SQLite database to store user messages.
However, the encryption key for this database was stored in plain text in local files (%AppData%\Signal\config.json on Windows and ~/Library/Application Support/Signal/config.json on Mac), making the encryption nearly ineffective.
Any user or program with access to the computer could potentially retrieve this key, rendering the database’s encryption useless. Security researcher Nathaniel Suchy had suggested a solution: encrypting the local database with a user-supplied password that would not be stored anywhere.
This approach is common in cloud backup software, web browsers, password managers, and cryptocurrency wallets. Despite this, Signal did not implement such a solution. When approached by BleepingComputer in 2018, Signal did not respond directly.
However, the issue resurfaced recently when Elon Musk tweeted about unspecified vulnerabilities in Signal, which some interpreted as an attempt to promote Telegram as a more secure alternative.
Signal President Meredith Whittaker responded, asserting that there were no known vulnerabilities that needed addressing and that the company adheres to responsible disclosure practices.
Mobile security researchers Talal Haj Bakry and Tommy Mysk of Mysk Inc reignited the discussion by highlighting that Signal Desktop still stored the encryption key in plain text, making user data vulnerable to exfiltration. They stressed that this issue had been known since 2018 but had not been fixed.
In response to the ongoing criticism and the recent attention from Musk’s tweet, Signal has finally taken steps to enhance its desktop client security. Independent developer Tom Plant had proposed using Electron’s SafeStorage API to secure Signal’s data store against offline attacks.
Despite Plant’s proposal lying dormant for a while, the recent uproar led Signal to implement support for Electron’s SafeStorage API. This new security feature is set to be available in an upcoming Beta version.
Signal’s developer Jamie Kyle explained that, in addition to migrating to encrypted/keystore-backed local database encryption keys, the implementation includes troubleshooting steps and a temporary fallback option.
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
