Signal Desktop application leaves message decryption key in plain text potentially exposing them to an attacker. The issue was discovered by the reverse engineer researcher Nathaniel Suchy
The flaw affects the process implemented by the Signal Desktop application to encrypt locally stored messages.
Signal Desktop application leverages an encrypted SQLite database called db.sqlite to store the user’s messages. The encryption key for the encrypted database is generated by the application during the installation phase.
The key is stored in plain text to a local file called %AppData%\Signal\config.json on Windows PCs and on a Mac at ~/Library/Application Support/Signal/config.json.
The encryption key is used each time Signal Desktop application accessed the database.
“To illustrate this problem, BleepingComputer installed the Signal Desktop application and sent a few test messages. First we opened our config.json file to retrieve the encryption key, which is shown above.” read a blog post published by Bleeping Computer.
“We then opened the database located at %AppData%\Roaming\Signal\sql\db.sqlite using a program called SQLite Database Browser.”
By entering the key, the experts at Bleeping Computer were able to read the content of the database.
The issue could be easily addressed by requiring users to set a password that would be used to encrypt the key the database encryption key.
“This would be easily mitigated by requiring users to set a password and using that password to encrypt the key” Suchy told Bleeping Computer.
On August 2018, the Italian cybersecurity passionate Leonardo Porpora discovered that it was possible to recover the expired messages from Signal version 1.14.3,
(Security Affairs – Signal, hacking)