Replying to Avatar Guy Swann

I wouldn't say the conclusion is so simple as "don't install Signal" because it remains superior to typical alternatives (i mean if you're gonna use text or Telegram instead, just use Signal), BUT this is a very important security consideration.

From nostr:npub1exwkjulsaqdh5xlplwrnzs3z0p9shf54hw3kxj4pu8eq3wc35y0qu08x90

----------------------------------------------------

"Don't install @SignalApp for macOS, it is not secure.

I carried out this small experiment:

- I wrote a simple Python script that copies the directory of Signal's local storage to another location (to mimic a malicious script or app)

- I ran the script in the Terminal and got a copy of my Signal data on my Mac

- I booted a fresh macOS installation in a virtual machine

- I transferred the copy of Signal's data to the VM and placed it where Signal expects it: ~/Library/Application\ Support/Signal

- I installed Signal and started it

- Signal started and restored my session with all the chat histories 😳

- I exchanged a couple messages with a contact from the VM and it worked 😳

- Then, I started Signal on the Mac

- I got three sessions running in unison: Mac, iPhone, and VM 😳

Messages were either delivered to the Mac or to the VM. The iPhone received all messages. All of the three sessions were live and valid. Signal didn't warn me of the existence of the third session [that I cloned]. Moreover, Signal on the iPhone still shows one linked device. This is particularly dangerous because any malicious script can do the same to seize a session.

Perhaps this flaw is what makes some users think that Signal has a "backdoor" as it is easy for sophisticated attackers to target a victim who's using the Mac app and see their chats. (The same may be also true for the Windows app)

#privacy #security"

------------------------------------------------

"This video shows that

@signalapp

(7.15.0) on macOS stores photos and docs sent through the app locally without encryption. Worse, the files are stored in a location accessible by any app or script. However, text messages are stored locally in an encrypted DB."

https://v.nostr.build/POVXr.mp4

Avatar
Ivan 1y ago 💬 2

Signal desktop app deleted......

Reply to this note

Please Login to reply.

Discussion

Avatar
Guy Swann 1y ago

I’m not sure that’s really the course of action honestly. I want to understand more about what this means before me I remove my encrypted chat options.

Granted I use Keet more than anything else these days anyway.

d5
Christian 1y ago 💬 1

Seems like an easy fix, right? Encrypt the storage for photos like you do with text for starters.

Avatar
Guy Swann 1y ago

Yeah it doesn’t seem like a drastic or unsolvable problem. Just one for people to be aware of. I also feel like there has to be some way to verify individual device feeds/communication so that an invisible device can’t join the group or not be independent from your other devices. That’s the biggest concern here, imo