Signal Is Working to Close a Security Vulnerability in Its Desktop App

Telegram is fixing a flaw successful the information of its desktop app that has lingered for years. As reported by BleepingComputer, Signal’s Desktop app connected some Windows and Mac creates an SQLite database erstwhile it’s archetypal installed. The programme generates a cardinal for that database’s encryption which is past stored arsenic a plain substance record locally connected the machine. Anyone with entree to the instrumentality tin get into that file.

Not great.

Signal is an encrypted chat exertion with a bully reputation. For many, it’s their regular operator connection platform. Its end-to-end encryption strategy is truthful bully it’s utilized successful different programs similar WhatsApp. On mobile, it’s fantastic. On desktop computers? Less so.

What’s bizarre is that this vulnerability successful Signal’s desktop app has been astir for years. BleepingComputer first reported connected it successful 2018. At the time, Signal told users connected its forums that the database cardinal was ne'er meant to beryllium kept secret.

“The reported issues trust connected an attacker already having *full entree to your device* — either physically, done a malware compromise, oregon via a malicious exertion moving connected the aforesaid device. This is not thing that Signal, oregon immoderate different app, tin afloat support against. Nor bash we ever assertion to,” Signal President Meredith Whitaker said successful a station connected X connected July 9.

So wherefore is each of this resurfacing now? Elon Musk, right-wing civilization warfare politics, and Telegram.

Telegram is different fashionable messaging app, particularly successful Europe, Russia, and the Middle East. It doesn’t, by default, person end-to-end encryption. It’s besides a vector for malware, scams, and convulsive imagery. On May 8, its CEO Pavel Durov called retired Signal arsenic an cause of the U.S. authorities successful a station connected Telegram.

“The US authorities spent $3 cardinal to physique Signal’s encryption, and contiguous the nonstop aforesaid encryption is implemented successful WhatsApp, Facebook Messenger, Google Messages and adjacent Skype,” Durov said. “It looks astir arsenic if large tech successful the US is not allowed to physique its ain encryption protocols that would beryllium autarkic of authorities interference.”

Durov was reacting to a study from right-wing provocateur Chris Ruffo, who called retired Signal for its engagement with NPR CEO Katherine Maher. “There are known vulnerabilities with Signal that are not being addressed,” Musk said connected X successful effect to Ruffo’s report.

No connection level is secure, but determination are gradients. “Signal Protocol, the cryptography down Signal (also utilized successful WhatsApp and respective different messengers) is unfastened root and has been intensively reviewed by cryptographers. When it comes to cryptography, this is beauteous overmuch the golden standard,” Johns Hopkins information researcher Matthew Green said connected X astatine the clip of the controversy.

According to a Signal technologist connected Github, the program is to usage the Electron safeStorage API. This would let Signal to utilize each OS’s ain cryptography systems to adhd an other furniture of extortion for the JSON wherever the cardinal is stored. “This is simply a large alteration that volition necessitate a batch of testing,” the Signal technologist said connected GitHub. “It volition commencement rolling retired soon successful an upcoming beta merchandise and deed accumulation soon aft that assuming everything goes well.”

Signal did not instrumentality Gizmodo’s petition for comment.

Security concerns astir our devices are apical of caput close now. AT&T conscionable revealed that hackers accessed its database successful April and downloaded “nearly all” of its customer’s information from a play betwixt May 2022 and October 2022.