Signal Is Working to Close a Security Vulnerability in Its Desktop App

4 months ago 69
ARTICLE AD

Telegram is fixing a flaw in the security of its desktop app that has lingered for years. As reported by BleepingComputer, Signal’s Desktop app on both Windows and Mac creates an SQLite database when it’s first installed. The program generates a key for that database’s encryption which is then stored as a plain text file locally on the machine. Anyone with access to the machine can get into that file.

Not great.

Signal is an encrypted chat application with a good reputation. For many, it’s their daily driver communication platform. Its end-to-end encryption system is so good it’s used in other programs like WhatsApp. On mobile, it’s fantastic. On desktop computers? Less so.

What’s bizarre is that this vulnerability in Signal’s desktop app has been around for years. BleepingComputer first reported on it in 2018. At the time, Signal told users on its forums that the database key was never meant to be kept secret.

“The reported issues rely on an attacker already having *full access to your device* — either physically, through a malware compromise, or via a malicious application running on the same device. This is not something that Signal, or any other app, can fully protect against. Nor do we ever claim to,” Signal President Meredith Whitaker said in a post on X on July 9.

So why is all of this resurfacing now? Elon Musk, right-wing culture war politics, and Telegram.

Telegram is another popular messaging app, especially in Europe, Russia, and the Middle East. It doesn’t, by default, have end-to-end encryption. It’s also a vector for malware, scams, and violent imagery. On May 8, its CEO Pavel Durov called out Signal as an agent of the U.S. government in a post on Telegram.

“The US government spent $3 million to build Signal’s encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype,” Durov said. “It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference.”

Durov was reacting to a report from right-wing provocateur Chris Ruffo, who called out Signal for its involvement with NPR CEO Katherine Maher. “There are known vulnerabilities with Signal that are not being addressed,” Musk said on X in response to Ruffo’s report.

No communication platform is secure, but there are gradients. “Signal Protocol, the cryptography behind Signal (also used in WhatsApp and several other messengers) is open source and has been intensively reviewed by cryptographers. When it comes to cryptography, this is pretty much the gold standard,” Johns Hopkins security researcher Matthew Green said on X at the time of the controversy.

According to a Signal engineer on Github, the plan is to use the Electron safeStorage API. This would allow Signal to utilize each OS’s own cryptography systems to add an extra layer of protection for the JSON where the key is stored. “This is a big change that will require a lot of testing,” the Signal engineer said on GitHub. “It will start rolling out soon in an upcoming beta release and hit production shortly after that assuming everything goes well.”

Signal did not return Gizmodo’s request for comment.

Security concerns around our devices are top of mind right now. AT&T just revealed that hackers accessed its database in April and downloaded “nearly all” of its customer’s data from a period between May 2022 and October 2022.

Read Entire Article