A vulnerability that the developers ignored for six years has been fixed in the secure messenger Signal.

The developers of the Signal application have only now taken measures to eliminate the vulnerability in the desktop version of the client, which was pointed out to them back in 2018 – for six years they did not consider it a problem and said there was no obligation to do so.

Image source: Mika Baumeister / unsplash.com

When you install the Signal desktop app for Windows or macOS, an encrypted SQLite database is created that stores the user’s messages. This database is encrypted using a key that is generated by the program without user intervention. In order for the program to open the database and use it to store correspondence, it needs access to the encryption key – it is stored in the application folder in clear text in a JSON file. But if an application has access to this key, then any other user or other application working on the same computer can do this – as a result, database encryption is useless because it does not provide additional security.

Image source: x.com/elonmusk

Users of the messenger have repeatedly reported this to its developers since 2018, but the answer has always been approximately the same: they have never claimed to ensure the security of the database. In May of this year, the problem was brought to the attention of Elon Musk, who wrote on his social network X that there are known vulnerabilities in Signal that are not being fixed. The platform’s fact-checking service refuted this statement, noting that no properly documented vulnerabilities were found in the messenger – a thesis confirmed by Signal President Meredith Whittaker.

The situation continued to escalate, but the problem was resolved by independent developer Tom Plant, who proposed using the Electron SafeStorage API to protect the Signal data storage. This will allow you to transfer the encryption keys to secure locations: for Windows this is DPAPI, for macOS it is Keychain, and for Linux it is the secret storage of the current window manager, for example, kwallet or gnome-libsecret. This isn’t a perfect solution, especially on Windows with DPAPI, but it’s still an additional security measure. And two days ago, a Signal representative said that the proposed solution has been integrated into the messenger, and it will already appear in the upcoming beta version of the client. While the new implementation is being tested, the Signal developers have retained a backup mechanism that allows the program to decrypt the database in the usual way.