Considered one of the safest messengers on the market, the Signal it has end-to-end encryption and a feature that automatically deletes messages received / sent after a period determined by the user. However, the Motherboard disclosed an app issue related to macOS, in which messages are displayed in the system's Notification Center.
The researcher Alec Muffett reported that the default messenger settings on the Mac allow incoming messages to be displayed as notifications and are stored in the operating system's Notification Center history, even after the user's self-destruct period. As in other applications, the notification also shows the name of the person who sent the message and the content of the conversation.
#HEADSUP: #Security Issue in #Signal. If you are using the @signalapp desktop app for Mac, check your notifications bar; messages get copied there and they seem to persist even if they are "disappearing" messages which have been deleted / expunged from the app. pic.twitter/CVVi7rfLoY
– Alec Muffett (@AlecMuffett) May 8, 2018
#ATENO: #security problem in #Signal. If you're using @signalapp desktop for Mac, check your notification bar; the messages are copied there and they seem to persist even if they are “missing” messages that have been deleted / purged from the application.
After further investigation, the web security researcher Patrick Wardle revealed that the problem can be even more serious. In addition to displaying messages in the macOS notification bar, even after the destruction period, Wardle demonstrated that it is also possible to locate and retrieve messages, since they are stored on the system's internal disk.
It is clear that in this way, any malware or hacker who goes through disk encryption can access the messages even after they have been deleted from the application.
The verified failure is not a risk for most users and it is possible to change the display settings of the messages in the notification bar directly by the application. To do this, simply access Preferences Notifications in the app menu and choose between the options “Do not display name and message” or “Name only” not to mention that, in macOS itself (in System Preferences Notifications), you can configure whether you want the notifications to be kept or not kept in the history in the Notification Center.
According to the Motherboard, Open Whisper Systems did not comment on the matter and did not answer whether or not it was working to fix the problem.
Update by Eduardo Marques 05/11/2018 s 13:30
As reported by the Mashable, the problem has already been fixed:
New version (1.10.0) of Signal Desktop😊😍Addresses 'disappearing' msgs remaining in OS's "notification" db
(relevant) Commit: https://t.co/rqIY5L97fW▪new window event listeners (focus / unload) that clear notification (s) ▪on msg read: Whisper.Notifications.remove (message); pic.twitter/cy6jxr64Xb
– patrick wardle (@patrickwardle) May 10, 2018
New version (1.10.0) of the Desktop Signal 😊😍Corrects “deleted messages that remain in the OS notification history ()
The news was released on Twitter by Patrick Wardle, director of research at Digita.
tip from Marcelo Kremer