Skip to main content

Mac-specific vulnerability discovered with Signal’s self-destructing messages

A Mac-specific vulnerability has been discovered in the secure messaging app Signal.

Signal allows you the option of sending ‘disappearing’ messages which are automatically purged from the app after a preset time. This feature is often used for passing on the most sensitive information, to ensure there is no permanent record afterwards. But a security researcher has discovered a serious failing specific to the Mac app …

Motherboard spotted a tweet from Alec Muffett in which he reported that disappearing messages were displayed in the Notification Center – and remained there after they expired in the app.

If you are using the @signalapp desktop app for Mac, check your notifications bar; messages get copied there and they seem to persist — even if they are “disappearing” messages which have been deleted/expunged from the app.

Motherboard confirmed this, with Muffett saying the bigger concern was where Notification Center content was stored on a Mac, and whether it created a permanent record.

Security researcher and ex-NSA hacker Patrick Wardle investigated and found that it does.

Wardle explains and shows that the messaged end up in a SQLite database that is accessible with normal user permissions. That means any malware, hacker, or forensic expert who can bypass the full disk encryption, will be able to recover these messages even after they’re gone in the app, Wardle told me […]

“If I’m a nation state [hacking] group, I’m now going to code up a ‘grabSignalMessage’ plugin for my implants,” Wardle said.

As the piece notes, it’s not a big concern for the average user, as reading the database would require physical or remote access to the Mac while logged-in, but it does create a vulnerability that shouldn’t exist.

You can prevent it happening in future by going into Signal’s preferences pane, selecting Notifications and then ‘Neither name nor message.’ However, existing disappearing messages will remain in the database, which would need to be wiped to remove them.

Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear