Signal’s “disappearing messages” live on in macOS notifications

Tech
Publisher

Signal, the privacy-focused voice and text messaging application, offers an attractive bit of operational security: ephemeral text messages that “self-delete” after a predetermined amount of time. There is just one small problem, however, with that feature on the Mac desktop version of the application, as information security consultant Alec Muffett discovered: if you sent a self-deleting message to someone using the macOS application, the message lives on in macOS’s Notifications history.

#HEADSUP: #Security Issue in #Signal. If you are using the @signalapp desktop app for Mac, check your notifications bar; messages get copied there and they seem to persist — even if they are “disappearing” messages which have been deleted/expunged from the app. pic.twitter.com/CVVi7rfLoY

— Alec Muffett (@AlecMuffett) May 8, 2018

Ars reproduced the problem, which Patrick Wardle of Objective See conducted a particularly deep dive on—revealing that the problem is in part a bug in the way Signal handles calls to the macOS notification system, and in part is just how macOS notifications work.

Messages that self delete from Signal still show up in notifications

If you’ve turned notifications off for Signal, or limited the amount of information that gets pushed to Notifications through Signal’s settings, this is not a problem; if you have not, you’ll likely want to change your settings for now until a future version of Signal fixes the issue.

Because Signal does not provide any guidance to Notifications on how to handle the messages once they’ve been seen, macOS does not automatically delete notifications—even after their time has expired. In fact, the messages are retrievable from a non-encrypted, user-readable SQLite database in macOS’s hidden /private directory, which stores each Mac user’s notifications. While the messages are stored in hexadecimal format as a binary property list (plist), the data can easily be converted back to plain text. And voila, your friend’s self-deleting message is recovered.

Again, all of this can easily be mitigated by simply changing the notification settings for Signal, or using full-disk encryption to make sure no one can gain access to your hard drive to retrieve the SQLite files without your password. But there’s nothing on the sender’s end that guarantees that will happen—so as always, send your ephemeral messages with care.

[ufc-fb-comments url="http://www.newyorkmetropolitan.com/tech/signals-disappearing-messages-live-on-in-macos-notifications"]

Latest Articles

Continue to the category
Previous articleStar Trek: The Next Generation’s Enterprise-D is coming to Bridge Crew
Next articleExplorer is getting a dark theme, and it’s very dark

Related Articles

Dwell Secure & New York Software Developers Create Disaster Preparedness App

Tech Eryn Johnson - 0
Dwell Secure works with New York Software Developers to create a disaster preparedness app that seeks to save money and potentially lives. Home is perhaps...
Read more

Researchers track fishing fleets by putting radar sensors on birds

Tech Publisher - 0
Wildlife management has been revolutionized by the ability to track species in their natural habitats—to figure out what areas they actually occupy, where...
Read more

Apple reports a blowout Q1 2020, but names coronavirus as a worry for the next quarter

Tech Publisher - 0
Based on the latest Apple quarterly earnings report, it seems that Apple's newer iPhone models have been a hit, along with the...
Read more

©2021 Copyright - New York Metropolitan Magazine