A vulnerability that the developers ignored for six years has been fixed in the secure messenger Signal.

The developers of the Signal application have only now taken measures to eliminate the vulnerability in the desktop version of the client, which was pointed out to them back in 2018 – for six years they did not consider it a problem and said there was no obligation to do so.

Image source: Mika Baumeister / unsplash.com

When you install the Signal desktop app for Windows or macOS, an encrypted SQLite database is created that stores the user’s messages. This database is encrypted using a key that is generated by the program without user intervention. In order for the program to open the database and use it to store correspondence, it needs access to the encryption key – it is stored in the application folder in clear text in a JSON file. But if an application has access to this key, then any other user or other application working on the same computer can do this – as a result, database encryption is useless because it does not provide additional security.

Image source: x.com/elonmusk

Users of the messenger have repeatedly reported this to its developers since 2018, but the answer has always been approximately the same: they have never claimed to ensure the security of the database. In May of this year, the problem was brought to the attention of Elon Musk, who wrote on his social network X that there are known vulnerabilities in Signal that are not being fixed. The platform’s fact-checking service refuted this statement, noting that no properly documented vulnerabilities were found in the messenger – a thesis confirmed by Signal President Meredith Whittaker.

The situation continued to escalate, but the problem was resolved by independent developer Tom Plant, who proposed using the Electron SafeStorage API to protect the Signal data storage. This will allow you to transfer the encryption keys to secure locations: for Windows this is DPAPI, for macOS it is Keychain, and for Linux it is the secret storage of the current window manager, for example, kwallet or gnome-libsecret. This isn’t a perfect solution, especially on Windows with DPAPI, but it’s still an additional security measure. And two days ago, a Signal representative said that the proposed solution has been integrated into the messenger, and it will already appear in the upcoming beta version of the client. While the new implementation is being tested, the Signal developers have retained a backup mechanism that allows the program to decrypt the database in the usual way.

admin

Share
Published by
admin

Recent Posts

US Commerce Secretary Indicates Trump Will Still Move Electronics Manufacturing Away From Taiwan

The exemption of semiconductor product categories from increased U.S. tariffs was only a temporary measure,…

1 hour ago

Trump says TikTok deal close, tariffs could come in handy in China talks

Formally, the deferment on the ban on the TikTok social network in the US is…

3 hours ago

Mobile GeForce RTX 5090 Disappoints Reviewers With Weak Performance Upgrades Over RTX 4090

Laptops with discrete GeForce RTX 50-series graphics cards will go on sale in a few…

5 hours ago

The test version of Windows 11 received extended support for the ReFS file system – it will replace NTFS, but then

The latest Windows 11 Build 27823 introduces extended support for the new ReFS (Resilient File…

5 hours ago

The developer of the legendary Pebble smartwatch has revealed details about the new Core 2 Duo and Core Time 2 watches

Pebble founder Eric Migicovsky recently unveiled his new smartwatches, powered by Pebble OS. The devices,…

5 hours ago