Is Signal Messenger Compromised? \ stacker news ~security

Is Signal Messenger Compromised?x.com/M_Solidus/status/1809527728636404155

772 sats \ 22 comments \ @Rsync25 6 Jul security

Yesterday, new vulnerability in Signal Messenger was found by mysk_co developer.

What's are the Problems?

Problem 1

Messages are kept in an encrypted file,

however local encryption key is stored in plain text in a file called config.json.

The file is saved in a location accessible to any app, which makes the encryption ineffective.

This is a recognized issue that has been known about for a long time.

Problem 2

Media attachments, such as photos sent and received, are stored locally without encryption.

What's next?

I would recommend unlinking any desktop device from your signal account.

The problems do not apply only to MacOS, but also other desktop platforms.

I would say it's still safe to say the mobile app, if you have already onboarded your family on it.

However, if the transition for you won't be painful, I would go with different options like Threema or SimpleX.

Until next time.

Be Sovererign.

Not only Online.

Marconius Solidus

view all related items

118 sats \ 6 replies \ @zuspotirko 6 Jul

encryption key is stored in plain text in a file called config.json.

The file is saved in a location accessible to any app, which makes the encryption ineffective.

Is this an actual problem? To my knowledge Apps can't access files from other apps. In iOS, MacOS, Linux I'm sure. On Android too, right? The individual apps folder env are protected, aren't they?

Media attachments, such as photos sent and received, are stored locally without encryption.

If you don't manage photo library access you're screwed anyways. That's on you.

17 sats \ 5 replies \ @Zk2u 6 Jul

It’s the desktop apps that are the issue. iOS and android perform proper sandboxing and I know macOS provides keychain APIs and the security model to provide pretty good sandboxing. It’s complex but they should’ve been using platform specific keychains for the desktop app. This is a rookie error.

100 sats \ 1 reply \ @Zk2u 6 Jul

So turns out electron (the tech that signal desktop is built on) has a safeStorage API that does exactly what I said. It uses the OS’s cryptography systems to store the keys to the db. Someone actually sent a PR implementing this but it seems to have been ignored. https://github.com/signalapp/Signal-Desktop/pull/6849

13 sats \ 0 replies \ @Zk2u 8 Jul

Following up on this, yes macOS is generally the most secure option here. Windows’ keys use DPAPI, which protects keys from other users but not other apps, no different to Linux and what signal does here. macOS uses keychain which will stop apps from accessing other apps’ keychains even when on the same user. Generally Apple platform security is much higher than competitors and a much higher chance at fending off an attack than most systems

101 sats \ 2 replies \ @zuspotirko 6 Jul

Is this a Signal specific issue? Aren't there .ssh folders and config files with session tokens lying around everywhere on desktops?

117 sats \ 1 reply \ @Zk2u 6 Jul

Not a signal specific issue. This is true. I personally use secretive instead for things like ssh keys.

101 sats \ 0 replies \ @Zk2u 6 Jul

Link for those interested. https://github.com/maxgoedjen/secretive

110 sats \ 0 replies \ @WeAreAllSatoshi 6 Jul

This was found yesterday and not disclosed responsibly? Dick move, if so.

27 sats \ 2 replies \ @justin_shocknet 6 Jul

Can't help but laugh at people that rave about Signal, totally clueless

Even if the key wasn't stored in plain text json locally, its still with the provider authenticating you via phone number

Most privacy larps are using this crap on a keylogged phone to begin with

You can't download privacy from an app store

17 sats \ 1 reply \ @Zk2u 6 Jul

Signal is not crap. Most phones are not keylogged.

still with the provider authenticating you via phone number

Safety numbers are used for authentication, not phone numbers. You should really look into this stuff more.

You can't download privacy from an App Store

You can sure install tools to improve your privacy from an app store

17 sats \ 0 replies \ @justin_shocknet 6 Jul

Most phones are not keylogged.

You don't know that they aren't. The technology and incentive to ensure they are exists, so your assumptions are irresponsible.

Safety numbers

[They] store your keys whatever you want to call them, auth is how you get your storage.

You can sure install tools to improve your privacy from an app store

Yea, as part of a comprehensive understanding of what you're trying to achieve and how to achieve it, as inferred... That's the opposite of pretending products who's differentiation is privacy marketing are a good thing.

17 sats \ 0 replies \ @JesseJames 6 Jul

"...The file is saved in a location accessible to any app..." no, it's not it is in the user .confg private and hidden dir , plus the permission on that file are 0600, so... if you want to compromise yourself have at it...lol

17 sats \ 0 replies \ @wingalt 6 Jul

The problem with privacy tools is, if they are honest and well developed how do they make money? For better apps than signal, what is the model for their sustainability?

10 sats \ 6 replies \ @profullstack 6 Jul

i don't know but signal is better than anything else at the moment.

17 sats \ 2 replies \ @aoeu 6 Jul

Better than SimpleX or Matrix? Both of these don't require a phone number to sign up with.

0 sats \ 1 reply \ @profullstack 6 Jul

havent' used either.

38 sats \ 0 replies \ @aoeu 6 Jul

A lot depends on who you use them to chat with. If you already have people on Signal, then it would be tough to switch.

30 sats \ 2 replies \ @tigstigs 6 Jul

keet? or any program that has P2P w/ E2EE?

0 sats \ 1 reply \ @profullstack 6 Jul

what is that?

117 sats \ 0 replies \ @tigstigs 6 Jul

keet.io - made by the holepunch team - holepunch.to

still very much in it's infancy but it's definitely progressing everyday. Text has been fine, video is ok at times but the screensharing is kinda broken at times sadly.

there's also hivetalk which is great for webcam+screen sharing but uses rooms, not individual users. allows nostr login and has NWC which is nice. hivetalk.org for that one.

I think there's a way of just sending PGP over Signal which I thought would be pretty private but I just read something about PGP being unsafe so who knows!

0 sats \ 0 replies \ @Akg10s33 6 Jul

I think it's not very reliable...

0 sats \ 0 replies \ @flat24 6 Jul

I have recently been researching to improve my ways of communicating with my close circle... and among several options in my opinion "Threema" is a very very good option, only it is paid (although if I am wrong it is a one-time payment ) and of the free options of all the ones I saw were Simplex, Signal, Session and Briar. My short research and comparisons led me to the conclusion that the best option could be "BRIAR" and it is the one I have been using, it is quite simple and complies with encryption and privacy standards. Take a look, maybe it can help you! DYOR PD - Download it from F-droid