Signal downplays encryption key flaw, fixes it after X drama


Signal is finally tightening its desktop client’s security by changing how it stores plain text encryption keys for the data store after downplaying the issue since 2018.

As reported by BleepingComputer in 2018, when Signal Desktop for Windows or Mac is installed, it creates an encrypted SQLite database to store a user’s messages. This database is encrypted using a key generated by the program and without input from the user.

For a program to be able to decrypt an encrypted database and use it to store data, it must have access to the encryption key. In Signal’s case, it stores the key as plain text in a local file called %AppData%Signalconfig.json in Windows and ~/Library/Application Support/Signal/config.json on a Mac.

Decryption key in Signal's config.json on Windows
Decryption key in Signal’s config.json on Windows
Source: BleepingComputer

However, if Signal can access this key then so can any other user or program running on the computer, making the encrypted database worthless and providing little to no extra security.

One solution offered by the researcher who found this flaw, Nathaniel Suchy, was to encrypt the local database with a user-supplied password that is never stored anywhere, as we see with cloud backup software, web browsers, password managers, and cryptocurrency wallets.

When BleepingComputer contacted Signal about the flaw in 2018, we never received a response.

Instead, a Signal Support Manager responded to a user’s concerns in the Signal forum, stating that the security of its database was never something it claimed to provide.

“The database key was never intended to be a secret. At-rest encryption is not something that Signal Desktop is currently trying to provide or has ever claimed to provide,” responded the Signal employee.

To be fair to Signal, encrypting local databases without a user-supplied password is a problem for all applications and relies on extra steps to tighten security further.

However, as a company that prides itself on its security and privacy, it was strange that the organization dismissed the issue and did not attempt to provide a solution.

Design flaw resurfaces again on X

Fast-forward almost six years later, and Elon Musk tweeted, “There are known vulnerabilities with Signal that are not being addressed. Seems odd …”

Musk did not share what vulnerabilities he was referring to, and some saw Musk’s tweet as an attempt to assist Telegram in a campaign claiming it was more secure than Signal.

Signal President Meredith Whittaker responded that no known vulnerabilities need to be addressed, and if there are, they should be responsibly disclosed to the organization.

“Hi, hello, we don’t have evidence of extant vulnerabilities, and haven’t been notified of anything. We follow responsible disclosure practices, and closely monitor security@signal.org + respond & fix any valid issues quickly,” Whittaker tweeted.

However, last week, mobile security researcher Tommy Mysk again warned on X not to use Signal Desktop because of the same security weakness we reported on in 2018.

Mysk tweet

In a series of tweets, Mysk illustrated how photos and apps sent through the messaging app are not stored in a secure or encrypted location and that the encryption key for the message store is still stored in plain text on the system.

“The community note is wrong and Elon Musk is right. Signal’s desktop apps encrypt local chat history with a key stored in plain text and made accessible to any process,” tweeted Mysk in another thread.

“This leaves users vulnerable to exfiltration. The issue was reported in 2018, but it hasn’t been addressed”

In response, Whittaker downplayed the flaw, stating that if an attacker has full access to your device, Signal cannot completely protect the data.

“The reported issues rely on an attacker already having *full access to your device* — either physically, through a malware compromise, or via a malicious application running on the same device,” Whittaker tweeted.

“This is not something that Signal, or any other app, can fully protect against. Nor do we ever claim to.”

While it is unclear what full access to a device means, anyone with remote access or malware running on the device could access the data.

The response was unusual after Whittaker’s constant retweets about the security and privacy implications of Microsoft’s Windows Recall and how data could be stolen by local attackers or malware.

While the Windows Recall feature undoubtedly consumes far more sensitive data, similar concerns could be applied to Signal, which is used for confidential messaging that, in some countries, could land a person in prison.

However, Microsoft responded to the much-deserved criticism by saying they would delay the release of Windows Recall to add additional protections to secure collected data from local attacks and test the product further.

Signal will now tighten database encryption

In April, an independent developer, Tom Plant, created a request to merge code that uses Electron’s SafeStorage API to further secure Signal’s data store from offline attacks.

“As a simple mitigation, I’ve implemented Electron’s safeStorage API to opportunistically encrypt the key with platform APIs like DPAPI on Windows and Keychain on macOS,” Plant explained in the merge request.

Electron’s safeStorage API provides additional methods to secure the encryption key used to encrypt data stored locally on a device.

When used, encryption keys are generated and stored using an operating system’s cryptography system and secure key stores. For example, on Macs, the encryption key would be stored in the Keychain, and on Linux, it would use the windows manager’s secret store, such as kwallet, kwallet5, kwallet6, and gnome-libsecret.

The safeStorage API falls short for Windows, as it uses DPAPI, which only secures the encryption key against other users on the same device. That means any program or malware running under the same user context as the one who uses Signal would theoretically be able to access the data.

While the solution would provide additional security for all Signal desktop users, the request lay dormant until last week’s X drama. Two days ago, a Signal developer finally replied that they implemented support for Electron’s safeStorage, which would be available soon in an upcoming Beta version.

While the new safeStorage implementation is tested, Signal also included a fallback mechanism that allows the program to decrypt the database using the legacy database decryption key.

“In addition to migrating to encrypted/keystore-backed local database encryption keys on supported platforms, our implementation also includes some additional troubleshooting steps and a temporary fallback option that will allow users to recover their message database using their legacy database encryption key if something goes wrong,” explained Signal developer Jamie Kyle.

“This should help minimize data loss if any edge cases or other keystore-related bugs are discovered during the migration process and production rollout.

Signal says that the legacy key will be removed once the new feature is tested.

Though its good to see that we have these additional protections coming to Signal, some are disappointed it only happened after the uproar on X.

Comment posted to Signal merge request
Comment posted to Signal merge request

BleepingComputer contacted Signal with further questions but has yet to receive a response.


Signal downplays encryption key flaw, fixes it after X drama



Source link