Signal Desktop App Vulnerability Exposes Message Decryption Key To The Users

in bug •  6 years ago 


Signal has been popular for quite a while owing to its encrypted messaging feature. However, just recently, the desktop version exhibited a vulnerability that ruined the entire encryption feature of the messenger. Reportedly, the Signal Desktop app inadvertently exposed the decryption key to the users. Using this key, anyone having physical access to the computer can easily decrypt and view the messages.

Signal Desktop App Exposed Message Decryption Key


A researcher has discovered a critical flaw in the Signal Desktop client that allegedly leaves messages vulnerable to hacking. As explained by Nathaniel Suchy, the vulnerability exists because of a feature in messenger that requires decryption key every time it opens the database. Therefore, they don’t really encrypt the decryption key.

https://twitter.com/nathanielrsuchy/status/1054720111330951168

Explaining further about how it works, Bleeping Computer stated,

“When Signal Desktop is installed, it will create an encrypted SQLite database called db.sqlite, which is used to store the user's messages. The encryption key for this database is automatically generated by the program when it is installed without any interaction by the user. As the encryption key will be required each time Signal Desktop opens the database, it will store it in plain text to a local file called %AppData%\Signal\config.json on PCs and on a Mac at ~/Library/Application Support/Signal/config.json.”
And that’s what makes the function a vulnerability. Anyone having physical access to the computer can open the plain text file to find the decryption key. The attacker may then use this key to open up the SQLite database. Hence, he can easily access the entire app contents.

Patch Awaited

The researcher Nathaniel Suchy disclosed his findings on Twitter where he also stated that he couldn’t contact Signal.
“They stopped responding to my beta feedback emails a while ago,”
said Suchy while replying to his tweet.

What’s more alarming here is that the service has yet to patch the bug. It means, for now, all Signal users need to be extra cautious while using Signal Desktop app, as it risks their privacy.

Take your time to comment on this article.

Posted from my blog with SteemPress : https://latesthackingnews.com/2018/10/25/signal-desktop-app-vulnerability-exposes-message-decryption-key-to-the-users/

bug decryptedfiles decryption decryptionkey encryption
6 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$0.00
    2 votes
    0
    Authors get paid when people like you upvote their post.
    If you enjoyed what you read here, create your account today and start earning FREE STEEM!