NIXsolutions: Signal App Vulnerability Addressed

The developers of the Signal application have only now taken measures to eliminate the vulnerability in the desktop version of the client, which was pointed out to them back in 2018. For six years, they did not consider it a problem and said they had no obligation to do so.

NIXsolutions

When you install the Signal desktop app for Windows or macOS, an encrypted SQLite database is created that stores the user’s messages. This database is encrypted using a key generated by the program without user intervention. In order for the program to open the database and use it to store correspondence, it needs access to the encryption key. Unfortunately, this key is stored in clear text in a JSON file within the application folder. This means any other user or application working on the same computer can access it, rendering the database encryption useless and failing to provide additional security.

Developer Response and Resolution

Users of the messenger have repeatedly reported this issue to its developers since 2018. The response was consistently that they never claimed to ensure the security of the database. In May of this year, the problem was brought to the attention of Elon Musk, who wrote on his social network X that there are known vulnerabilities in Signal that are not being fixed. The platform’s fact-checking service refuted this statement, noting that no properly documented vulnerabilities were found in the messenger, a claim confirmed by Signal President Meredith Whittaker.

The situation continued to escalate until independent developer Tom Plant proposed using the Electron SafeStorage API to protect the Signal data storage. This solution transfers the encryption keys to secure locations: for Windows, this is DPAPI; for macOS, it is Keychain; and for Linux, it is the secret storage of the current window manager, such as kwallet or gnome-libsecret. While not perfect, especially on Windows with DPAPI, it adds an extra layer of security. Two days ago, a Signal representative announced that the proposed solution has been integrated into the messenger and will appear in the upcoming beta version of the client. While the new implementation is being tested, the Signal developers have retained a backup mechanism that allows the program to decrypt the database in the usual way, notes NIXsolutions.

We’ll keep you updated on further developments regarding Signal’s security measures.