The popular encrypted messenger app Signal seems in trouble these days. Precisely, the desktop version of the messenger needs vendor’s attention. Reportedly, a researcher discovered a glitch the leaves encrypted messages unencrypted on the disk when a user upgrades from the Signal Chrome extension to the Signal Desktop client.
Signal Desktop Upgrade Leaves Messages Unencrypted
Reportedly, a researcher discovered a problem that is ruining the encryption feature of Signal app. The glitch occurs right when a user upgrades from the Chrome extension to the Signal Desktop App. He found that Signal leaves messages unencrypted while importing to the new location.
The researcher Matt Suiche noticed this problem after which he put up a tweet.
Am I tripping or if you upgrade Signal Desktop, it saves all your messages in plain text (messages.json) + attachments locally so you can re-import them in the newer version? #fail #wtf
— Matt Suiche (@msuiche) October 21, 2018
Later, he further dug up to find the glitch and created a bug report on Github where he also shared screenshots of his findings.
After this disclosure, Bleeping Computer also seconded the matter by independently testing Suiche’s findings. Explaining how the app transfers messages during the upgrade, they state,
When upgrading from the Signal Chrome extension to Signal Desktop, the process requires the user to pick a location to save the message data (text and attachments), in order to import it automatically into the new version.
That is where the glitch resides. Signal simply imports the messages to the new destination without encrypting them. Thus, the new location on the desktop will contain the data in plain text. They go on to state;
The main directory contains individual folders for each Signal contact available. Folders are named after the name of the contact and their phone number; thus, simply opening the main directory shows sensitive details. Conversations are stored in JSON files inside each folder.
Matt Suiche found this problem while using MacOS. Whereas, Bleeping Computer performed the test on Linux Mint. Both of them got similar results. This shows that the problem not only affects the users of any specific operating system, rather it may supposedly affect all users upgrading to the Signal Desktop from the Chrome extension.
The Data Will Remain On The Disk Too
Apart from transferring the data in unencrypted form, the app exhibits another problem. As discovered, the messages will remain on the disk even after the import to the new Signal app. Thus, to protect their privacy and security, the users literally have to delete this data manually after importing the data.
Until the time of disclosure, the bug persisted in the app. Suiche has also shared the method to reproduce for all curious Signal users.
“1. Use Signal Desktop on macOS. 2. Run an outdated version of Signal which will require upgrade and to export your messages/attachements. 3. Browse the exported folder (!!!!!)”
He said that the ideal result should be a complete transference of encrypted data with no traces behind. However, what happens is the import of unencrypted messages leaving traces at the previous location as well.
Just a day before this discovery, another researcher unveiled his findings of another glitch in the Signal Desktop app. He found that the app exposed decryption keys to the users in plain text. Thus anyone having physical access to the computer can view the database. Both the vulnerabilities await a patch from Signal.
Let us know your thoughts about the article in the comments section below.