Signal, the popular cross-platform encrypted communications app for mobile and desktop, is recommended by most security experts, including Edward Snowden, for its top notch privacy features. However, it seems the app’s desktop client for Mac may end up exposing your private messages, even if they are the “disappearing” type (via Motherboard).
As discovered by security researcher Alec Muffett, with Signal’s default settings on a Mac, any incoming messages live on the operating system’s notifications bar even if those messages are set to self-destruct using Signal’s timer. These notifications include the sender’s name and the message’s content.
#HEADSUP: #Security Issue in #Signal. If you are using the @signalapp desktop app for Mac, check your notifications bar; messages get copied there and they seem to persist — even if they are “disappearing” messages which have been deleted/expunged from the app. pic.twitter.com/CVVi7rfLoY
— Alec Muffett (@AlecMuffett)
Muffett said that he is chiefly worried about where in Apple’s operating system this data lives, and whether it’s cached or written somewhere where it can be recovered. Turns out the data is actually stored on the Mac hard drive, according to Mac security researcher Patrick Wardle.
Wardle found that the disappearing messages that have appeared as notification can be recovered later, even after they are gone within the Signal app. Wardle explains the messages end up in a SQLite database that is accessible with normal user permissions.
That means any malware, hacker, or forensic expert who can bypass the full disk encryption, will be able to recover these messages even after they’re gone in the app, Wardle told me.
Luckily, the fix is pretty simple. In the Signal Mac app’s preferences, navigate to the “Notifications” section and check the option “Neither name nor message” or “Only sender name”, which will prevent the content of the message from being displayed outside of the desktop app.