Signal is finally addressing a critical security flaw in its desktop client by altering how it stores plain text encryption keys for its data store. This change comes after years of downplaying the issue since it was first highlighted in 2018.
In 2018, reports came out that Signal Desktop, when installed on Windows or Mac, created an encrypted SQLite database to store user messages. The encryption key for this database, generated by the program without user input, was stored as plain text in a local file, specifically, ‘%AppData%\Signal\config.jsonon‘ on Windows and ‘~/Library/Application Support/Signal/config.json‘ on Mac.
This storage method meant that while Signal could access the encryption key, any other user or program on the computer could, rendering the encryption ineffective.
Nathaniel Suchy, the researcher who discovered this vulnerability, suggested encrypting the local databases with a user-supplied password that would never be stored. This approach is commonly used by cloud backup software, web browsers, password managers, and cryptocurrency wallets to enhance security, reports Bleeping Computer.
Despite this suggestion, Signal did not initially address the flaw. Instead, a Signal Support Manager stated in the Signal forum that the database key was never intended to be a secret and that at-rest encryption was not a feature Signal Desktop aimed to provide.
Fast forward to 2024, and the issue resurfaced prominently on social media. Elon Musk’s tweet about the vulnerability sparked renewed scrutiny. Although Musk did not specify the vulnerabilities, the timing coincided with warnings from mobile security researchers Talal Haj Bakry and Toomy Mysk, who reiterated that Signal Desktop’s encryption key was still stored in plain text, making users vulnerable to data exfiltration.
Signal president Meredith Whittaker responded to Musk’s tweet, emphasising that there were no known vulnerabilities and urging responsible disclosures of any issues. Whittaker downplayed the flaw, stating that if an attacker had full access to a device, Signal could not fully protect the data, a limitation shared by other applications.
However, the flaw’s persistence and public outcry eventually led to action. In April, independent developer Tom Plant proposed a solution using Electron’s SafeStorage API to enhance security against offline attacks. This API leverages operating system cryptography systems and secure key stores, such as the Keychain on macOS and DPAPI on Windows, to store encryption keys securely.
Following widespread media uproar, Signal responded by integrating Electron’s SafeStorage API in the upcoming beta version of the Signal Desktop app. Moreover, Signal has also introduced a fall-back mechanism in case of data loss during transition.
The company is currently testing the feature and will remove the legacy key completely. While social media users laud this development, some have criticised Signal for waking up too late, and that too, after the social media pressure, which is becoming of a company like Signal.
In the News: Neuralink prepares for second brain implant amid concerns
