A bevy of secure messaging options exist to serve the needs of whistleblowers, journalists, and those wanting greater privacy in general, and among them Signal has become one of the most trusted. It even comes baked in with “disappearing” messages that users can set to self-destruct anywhere from five seconds to one week after they’re checked.
Yesterday it was discovered that those disappearing messages may not disappear at all, at least if you use the service’s Mac client.
Motherboard reports that security researcher Alec Muffett first noticed that the desktop alerts Mac machines generate for—among other things—incoming encrypted messages did not delete themselves, even if those same messages had been set to do so in Signal. A second researcher, Patrick Wardle, later expounded on the vulnerability in a blog post which demonstrated the relative ease with which these messages could be located and recovered.
Open Whisper Systems, the group that developed Signal, also offers a Google Chrome extension with similar desktop functionality. While that version generates alerts through Chrome’s separate notifications feature, it’s unclear if the contents of those alerts are stored locally and accessible when marked to disappear.
We’ve reached out to Open Whisper Systems, Patrick Wardle, and Google for further details and will update when we hear back.
In the meantime we recommend at turning off notifications for the Mac standalone app (System Preferences->Notifications) and disabling the Chrome extension until a fix is made available.