Signal Upgrade Process Leaves Unencrypted Messages on Disk

guest · Oct 22, 2018

Signal Upgrade Process Leaves Unencrypted Messages on Disk
October 22, 2018
https://www.bleepingcomputer.com/ne...-process-leaves-unencrypted-messages-on-disk/

When upgrading from the Signal Chrome extension to Signal Desktop, the process requires the user to pick a location to save the message data (text and attachments), in order to import it automatically into the new version.

After this stage, hacker and security researcher Matt Suiche noticed that the app dumped the information in a location of his choosing without encrypting it first. He announced his finding on Twitter and also filed a bug report.
[...] Folders are named after the name of the contact and their phone number; thus, simply opening the main directory shows sensitive details.
[...] In tests BleepingComputer did on Linux Mint with multiple test accounts, we observed the same behavior
Not the only problem with Signal Desktop
Signal Desktop is also bad at removing media that has been attached to disappearing messages - a feature that deletes messages from the devices involved in a conversation after a specific amount of time. [...] looking through the file system one would surely find media files that should have been removed.
Click to expand...

mirimir · Oct 22, 2018

So just create a ramdisk, and nuke it when you're done. But then, Signal could do that for you

Beyonder · Oct 23, 2018

Wasn't this already posted in another thread?

Anyway, a crazy idea is to use EFS in Windows 10 Pro to encrypt the Signal folder.

guest · Oct 23, 2018

Signal Desktop Leaves Message Decryption Key in Plain Sight
October 23, 2018
https://www.bleepingcomputer.com/ne...leaves-message-decryption-key-in-plain-sight/

A mistake in the process used by the Signal Desktop application to encrypt locally stored messages leaves them wide open to an attacker.

When Signal Desktop is installed, it will create an encrypted SQLite database called db.sqlite, which is used to store the user's messages. The encryption key for this database is automatically generated by the program when it is installed without any interaction by the user.

As the encryption key will be required each time Signal Desktop opens the database, it will store it in plain text to a local file called %AppData%\Signal\config.json on PCs and on a Mac at ~/Library/Application Support/Signal/config.json.
When you open the config.json file, the decryption key is readily available to anyone who wants it.

This bug comes on the heels of a different Signal problem reported yesterday that left unencrypted messages stored in text files when upgrading from the Signal Chrome extension to Signal Desktop.
Click to expand...

mirimir · Oct 24, 2018

That's rather funny

I can imagine that they were figuring that all bets are off, no matter what, if adversaries have local access to a machine.

But there are standard mitigations. As GnuPG and OpenSSH do, they could password encrypt the key, and leave it available for some minutes after decrypting. Or like LUKS, store the key in RAM.

Log in or Sign up

Signal Upgrade Process Leaves Unencrypted Messages on Disk

guest Guest

mirimir Registered Member

Beyonder Registered Member

guest Guest

mirimir Registered Member

Log in or Sign up

Signal Upgrade Process Leaves Unencrypted Messages on Disk

guest Guest

mirimir Registered Member

Beyonder Registered Member

guest Guest

mirimir Registered Member

Useful Searches