How about the #Signal desktop app vulnerability for which one contact in a group message using Signal desktop could expose the chat conversation because of the lack of encryption? I’m not familiar with the details of the issue but my understanding is that it hasn’t been fixed.
#SignalApp
You're likely talking about the issue where the keys for the SQLite database were stored in plaintext on disk.
That's been fixed reasonably well on Mac. On Windows & Linux they database keys are in the OSes keychain (or Secret Service or whatever they call it) but any app running as that user can just get them in plaintext, just like they could when they were on disk in plaintext.
Signal has a history of collecting everyone's phone numbers even after usernames were finally implemented, blocking open source clients from being in the stock F-droid repos, taking years to partially fix the plaintext keys thing, not actually having public code to run a server that actually works, not allowing 3rd party clients to connect to their centralized servers and so on...
Having said that, their crypto was still legit last time I looked at the code. Metadata protection is lacking, but that's going to be true of nearly every centralized service.
