UPDATE, May 10, 5:51 p.m. ET: Signal pushed out an update to its Desktop app that appears to mitigate this issue. In the update release notes, Signal said it improved notifications, removing them when they are read, “on focus,” and “on exit.”
This means they get removed from the database when their respective messages are read, if the app is on the forefront, or when the user exits the app. Wardle confirmed that the new version addresses the issue.
The original story is below.
When it comes to protecting your messages and calls from snoops, many security experts point to the Signal app as one of the best options out there (and we at Motherboard generally agree). But Signal isn’t perfect, and if you use the desktop client on a Mac, you might want to be careful about the app’s notifications—they may expose your private messages.
One of Signal’s best features is that messages can be set to “self-destruct,” meaning there is no paper trail for conversations in the app. But with Signal’s default settings on a Mac, your friends’ messages appear—and live on—on the operating system’s notifications bar even if the message is set to self-destruct using Signal’s timer. These notifications include the sender’s name and the message’s content.
Security researcher Alec Muffett noticed this issue on Tuesday, and warned his Twitter followers.
“I was just drinking a cup of tea, accidentally opened up my MacOS notifications bar, and thought 'That looks bad...'" he told Motherboard in an online chat.
Motherboard was able to verify that messages that have self-destructed inside the Signal desktop app are still displayed in the notifications bar.
Muffett said that he is chiefly worried about where in Apple’s operating system this data lives, and whether it’s cached or written somewhere where it can be recovered. Apple did not respond to a request for comment on how MacOS handles notification data.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
As it turns out, the data is stored on disk inside the operating system, according to Mac security researcher Patrick Wardle. Wardle found that the disappearing messages that have appeared as notification can be recovered later, even after they are gone within the Signal app.
In a blog post, Wardle explains and shows that the messaged end up in a SQLite database that is accessible with normal user permissions. That means any malware, hacker, or forensic expert who can bypass the full disk encryption, will be able to recover these messages even after they’re gone in the app, Wardle told me.
“This is definitely less than ideal,” Wardle, who is the chief research officer at Digita Security, told me in a Signal chat. “We set messages to disappear with the expectation that they will go poof. Often such messages are very sensitive, and would be ruinous if they well in the wrong hands.”
“If I’m a nation state [hacking] group, I’m now going to code up a ‘grabSignalMessage’ plugin for my implants,” Wardle said.
To be clear, this is not a major threat for most people—someone would still need to hack or otherwise get their hands on your Mac computer to read the messages. But if you’re an at-risk user such as a humanitarian worker, a political aide, or journalist and are worried about those scenarios, you should be aware of the issue. And, luckily, there’s an easy fix.
In the Signal desktop app’s preferences, navigate to the “Notifications” section and check the option “Neither name nor message” or “Only sender name.”
This way, the content of the message is never displayed outside of the desktop app.
Note that this does not remove the disappearing messages that were displayed as notification and ended up in the database. You’ll have to wipe that database to get rid of those.
Open Whisper Systems, the organization that develops Signal, did not immediately respond to a request for comment on whether they are working to fix this issue.
Joseph Cox contributed reporting.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.