SUPER SECURE messaging service Signal has run into an Apple-shaped problem, as it’s been revealed that the macOS app fails to purge messages when the “self-delete” feature is enabled.
Signal’s self-delete function gives users the option to have their messages deleted after a set amount of time, great for freelance spies, the privacy conscious and the downright paranoid.
Problem is, information security consultant Alec Muffett found that the deleted messages dodge their own purging by surviving in macOS’ notification bar, complete with the date and time the messages were sent.
The problem seems to stem from a bug in the way Signal deals with macOS notifications, and the way macOS handles notifications is also partly to blame.
The message-reviving problem currently exists in macOS 10.13.4, the latest version of Apple’s desktop OS. Users of Signal on iOS can breath easy as though the notifications on iPhones and iPads may look similar to those in macOS, the bug hasn’t carried over.
When Signal is in active use the app doesn’t post notifications to the bar, but when it’s not, notifications get fired to the Notification Centre.
While the banner notifying the presence of a notification is notably dismissed, the actual notification itself isn’t, which pretty much renders the Signal’s self-delete feature useless on macOS, though the messages in the Signal app itself are deleted.
With some digging around and code conversion, another security researcher, Patrick Wardle, found that he could recover the contents of the deleted messages through digging around in the files and script of Notification Centre
The bug is a bit of a blow to Signal’s robust secure messaging, but it’s worth noting that users can manually dismiss the notifications to assist in the purging of the messages, though that’s not an ideal solution. And by changing the notification settings of the Signal app the issue can be mitigated.
But that won’t give anyone sending a sensitive Signal message to another macOS user much peace, as they have no guarantee that the recipient is aware of the problem and has taken measure to bypass it.
Open Whisper Systems, the people behind Signal, have yet to publicly discuss the flaw, but we’d suspect it’ working on something to squash the bug with. µ
Source : Inquirer