 There’s been some chatter about Signal desktop recently, so let’s clear the air. Three points: 1. The reported issues rely on an attacker already having *full access to your device* — either physically, through a malware compromise, or via a malicious application running on the same device. This is not something that Signal, or any other app, can fully protect against. Nor do we ever claim to. 54 comments
We ask those who are serious about security and privacy to please engage us directly in the future, instead of resorting first to online claims that can confuse non-experts and lead people to make unsafe choices and develop inaccurate mental models based on scary language. We monitor security@signal.org carefully and respond to all legitimate reports.  @Mer__edith as always, these people act in bad faith, and as always, the only thing they get is making people less secure. heck, this whole thing was already discussed a year and a half ago after the bogus CVEs filed by johnjhacking. but of couse the ones spreading this never bother to check if this has already been discussed before, since they only want attention. @Mer__edith Certain types of people want to be influencers. I think a better word to describe them is infamous. @Mer__edith After reading "trust me I'm lying" asking for this feels like asking water to not be wet. Anyone that knows security would realize that an exploit that requires full system access isn't really an exploit but non-news. So it feels like emotional click farming, with no regards whatsoever for actual fact checking. @toolsontech @Mer__edith The real issue here is the forward access (session cloning), which seems like a pretty big issue. Momentary access to a system (not necessarily “full” access) can get someone the info needed to silently clone a session, intercept future messages, and impersonate the victim. @Mer__edith Is it possible to add this address to the footer of signal.org or create a security.txt ? One have to go through the FAQ to find out this email address Non-Expert here. Love using Signal with my closest peeps for quality & to avoid data scraping... We understand cyber security is constantly evolving. We also understand in light of recent news everywhere, at any time someone else could be reading everything on our screen and certainly our desktops are vulnerable even with good software protecting us.  "at any time someone else could be reading everything on our screen and certainly our desktops" Huh? Who are "someone else", and how can they access your computers?  @LawmanLungis @UrNotTheBossOfUs @Mer__edith @LawmanLungis @Mer__edith Hi Meredith, let me address your points: 1) The issue we highlighted does not require “full” access to the device. Signal desktop stores the chat database in an unprotected area of the file system that’s accessible by any user process. This would allow any program without any special permissions or user prompts to access the database in full. This can be solved by sandboxing, which relies on the OS to prevent any process from accessing data within the sandbox. … 🧵 1/4 2/4 2) The issue was reported to Signal by others back in 2018, so we didn’t find anything new. App sandboxing technology had been available for a long time on desktop (Windows AppContainer and macOS App Sandbox). Even if we ignore sandboxing, while Signal encrypts the chat database, it stores the encryption key insecurely in plaintext. … 🧵 3/4 3) We “the posters” didn’t feel the need to reach out to Signal first since the issue had been known to Signal’s developers since 2018. After 6 years without a resolution, we believe it becomes more important to raise awareness than to attempt to directly engage with Signal, or any other vendor. Also, I challenge you to point out any instance of inflammatory language in our posts about Signal. …🧵 4/4 Finally, Signal has a huge responsibility towards your users, many of whom rely on Signal to be the most secure way of communicating in areas of the world where their lives would be in danger if their messages were to be compromised. This is not hyperbole, and Signal needs to continue to live up to that responsibility. All I can say as a user who relies on Signal a lot and is one of few who actually supports Signal by monthly donations through its app is this: The expectation from the paragon of private and secure messaging platform is that it is indeed fully private and secure to a point where even physical access (short of knowing admin credentials), Signal must be made to ensure of anything within it is encrypted, including pictures and documents that may be shared. I love Signal and will continue to use and support and recommend it but it’s things like this that slowly begin to leave a bad taste in your mouth. I hope this is resolved soon. By the looks of it, it can be as it’s a technical issue and we don’t seem to be limited by technology unless my interpretation and inference from all that I have read is incorrect. Please look into this more and share an update with a fool proof resolution for the millions relying on it.  @mysk @mysk plus Desktop Systems are a lot more vulnerable and susceptible to malware than Mobile OS's, especially Windows. I have always been wary of using Messenger Apps on Desktop - rightfully so, it turns out. @mysk 🙏 f.y.i. they only talk about Windows & Mac - hopefully Penguins will be fixed too. https://www.bleepingcomputer.com/news/security/signal-downplays-encryption-key-flaw-fixes-it-after-x-drama/ @lawrenceabrams @Mer__edith Most of these people are probably serious about attacking Signal for various reasons and not serious about security and privacy. "Experts" who in order to criticize a piece of software pull the OS-security card are not experts at all or have ill intentions to begin with.  @Mer__edith @Mer__edith This was reported back in 2018 which was closed as “won’t fix” redirecting to this from 2015. @Mer__edith Wasnt this first disclosed in 2018? Seems like its been on the back burner for a while and just recently resurfaced. @Mer__edith Why is Signal desktop based on Electron, which is basically an outdated Chrome/Chromium browser that does not follow widely acctepted Linux standards and makes it hard to package for distributions as well as making it harder to make this "secure" instead of using literally anything else? 🤔 I like the approach of the alternative client Flare a lot. It's got a clean interface and it's not a browser. @erebion @Mer__edith @erebion @Mer__edith Signal is currently using Electron 31.x (https://github.com/signalapp/Signal-Desktop/blob/b34f2fbb99d68bd462715f8519524100580fb372/package.json#L293) which is itself tracking current chromium (128.x). I'm not an Electron fan either, but that doesn't mean it's ok to spread fake info.  @Mer__edith I am deeply worried by how you are trying to misrepresent and distort this situation. Your words are damaging my trust in Signal a lot more than the actual security issue at hand. You claim that the attack "requires full access" (it only requires read-only access), that it cannot be avoided (other messaging clients protect against this particular scenario), and that is was disclosed irresponsibly (the issue was mentioned and circulated on twitter a year or two ago). @whynothugo @Mer__edith There is no such thing as read-only access to a computer. To read and exfiltrate data, you must have control of the machine. Control is full access, the terms are used interchangeably. @jntesteves An attacker might have access to backups, or might be able to run code as an unprivileged user. These two (and countless others) scenarios grant an attacker read data without being even close to "full access". @Mer__edith "US holiday weekend"? sorry to say, but such a thing is irrelevant to ~95% of the world popoluation. Thanks for your reaction. @lienrag @Mer__edith if a machine is compromised, all you need to do is screen captures at short intervals to get a lot of useful information. Not passwords required.  @MaybeMyMonkeys @lienrag @Mer__edith it literally doesn't matter. At the point that something is actively detecting that signal is installed and trying to get data in the machine it can do anything. Screenshots, keylogger, access files, intercept the network, etc. It's basically not possible to have Signal app installed and running in windows in a way that doesn't allow malicious things running from getting wtv it wants. The whole thing is blown out of proportion. Don't use it on windows.  @Mer__edith Since mobile OSes have much stronger sandboxing, and Signal on desktop OSes will always be more likely vulnerable to malware, would you consider at least indicating that I’m talking to someone that has Signal on PC vs not? @Mer__edith The scenario that has been mentioned lately is "an attacker with temporary read-only access to the filesystem can copy session data and hijack the session indefinitely without any indication". This CAN be mitigated, and plenty of other messaging applications have done so for many years. The most obvious solution to this particular problem is using the platform-specific keyring to store the session token so that it is encrypted at rest. I want to make it clear that it is theoretically possible to prevent this attack, that many other messaging clients prevent against it, and even alternative clients to Signal's network prevent it. Flare (an alternative Signal client) DOES protect against this specific attack: https://gitlab.com/Schmiddiii/flare/ Your claims of "This is not something that Signal [...] can protect against" is complete BS. @JezCaudle @Mer__edith This attack **does not** require an attacker to have unrestricted access to the device, it only requires a one-time read-only access. @Mer__edith Well, the logic doesn't make sense as to why you encrypt local messages but not media then, does it? @alextecplayz But I do suggest that you think about how you voice critic. It doesn't sound very grateful, especially considering what Signal is doing for humanity. @Mer__edith This is a lie. You should honestly accept Signal took no action to fix a vulnerability reported 6 years ago. |
Gregory's Server
2. We continue working to harden our desktop build across supported operating systems and take advantage of new platform capabilities as they emerge. Those of you following our repo can follow this work there.
3. The posters who raised this issue did so without contacting us directly. Instead, they went straight to social media, in some cases using inflammatory language. And they dropped these claims over a US holiday weekend. This is the opposite of responsible disclosure.