Signal's Disappearing Messages Have a Huge Flaw on Macs

Screenshot: Signal

A bevy of secure messaging options exist to serve the needs of whistleblowers, journalists, and those wanting greater privacy in general, and among them Signal has become one of the most trusted. It even comes baked in with “disappearing” messages that users can set to self-destruct anywhere from five seconds to one week after they’re checked.

Yesterday it was discovered that those disappearing messages may not disappear at all, at least if you use the service’s Mac client.

Advertisement

Motherboard reports that security researcher Alec Muffett first noticed that the desktop alerts Mac machines generate for—among other things—incoming encrypted messages did not delete themselves, even if those same messages had been set to do so in Signal. A second researcher, Patrick Wardle, later expounded on the vulnerability in a blog post which demonstrated the relative ease with which these messages could be located and recovered.

Open Whisper Systems, the group that developed Signal, also offers a Google Chrome extension with similar desktop functionality. While that version generates alerts through Chrome’s separate notifications feature, it’s unclear if the contents of those alerts are stored locally and accessible when marked to disappear.

We’ve reached out to Open Whisper Systems, Patrick Wardle, and Google for further details and will update when we hear back.

In the meantime we recommend at turning off notifications for the Mac standalone app (System Preferences->Notifications) and disabling the Chrome extension until a fix is made available.

Advertisement

[Motherboard]

Share This Story

About the author

Bryan Menegus

Senior reporter. Tech + labor /// bgmwrites@gmail.com Keybase: keybase.io/bryangm Securedrop: http://gmg7jl25ony5g7ws.onion/

EmailTwitterPosts
PGP Fingerprint: 1905 9104 D967 2EB7 C3F5 68F9 9108 1434 C917 C1B9