I was not aware of this #security hole in Signal Desktop. The database encryption key ...

discoverbtc / Adam

npub174d…vhl3

2024-10-24 01:59:20

I was not aware of this #security hole in Signal Desktop. The database encryption key was stored in plaintext for years. It's partially fixed now. Links below.

I looked at their repo and it hasn't been fully patched yet. For now they're supporting a fallback option, which means the key may still be stored in plaintext. You can check by looking at the config file where the key is stored.

"In addition to migrating to encrypted/keystore-backed local database encryption keys on supported platforms, our implementation also includes some additional troubleshooting steps and a temporary fallback option that will allow users to recover their message database using their legacy database encryption key if something goes wrong. This should help minimize data loss if any edge cases or other keystore-related bugs are discovered during the migration process and production rollout. The temporary fallback and legacy key will both be removed after everything has been tested and deployed on a wide variety of devices across various operating systems and OS versions."

https://www.bleepingcomputer.com/news/security/signal-downplays-encryption-key-flaw-fixes-it-after-x-drama/

https://github.com/signalapp/Signal-Desktop/pulls?q=is%3Apr+is%3Aclosed+safeStorage

Author Public Key

npub174dzvmgc6tuslmsj54rgdnhv9qdxuxwzzus626ty694ka3f6mt8sgavhl3

Show more details

Published at

2024-10-24 01:59:20

Kind type

1 Short Text Note

Event JSON

{ "id": "4cf10e075d98adea28dec913cfefc9804749aaee5b9bb784904b8a5d9cda0f6a", "pubkey": "f55a266d18d2f90fee12a54686ceec281a6e19c21721a56964d16b6ec53adacf", "created_at": 1729735160, "kind": 1, "tags": [ [ "t", "security" ], [ "r", "https://www.bleepingcomputer.com/news/security/signal-downplays-encryption-key-flaw-fixes-it-after-x-drama/" ], [ "r", "https://github.com/signalapp/Signal-Desktop/pulls?q=is%3Apr+is%3Aclosed+safeStorage" ] ], "content": "I was not aware of this #security hole in Signal Desktop. The database encryption key was stored in plaintext for years. It's partially fixed now. Links below.\n\nI looked at their repo and it hasn't been fully patched yet. For now they're supporting a fallback option, which means the key may still be stored in plaintext. You can check by looking at the config file where the key is stored.\n\n\"In addition to migrating to encrypted/keystore-backed local database encryption keys on supported platforms, our implementation also includes some additional troubleshooting steps and a temporary fallback option that will allow users to recover their message database using their legacy database encryption key if something goes wrong. This should help minimize data loss if any edge cases or other keystore-related bugs are discovered during the migration process and production rollout. The temporary fallback and legacy key will both be removed after everything has been tested and deployed on a wide variety of devices across various operating systems and OS versions.\"\n\nhttps://www.bleepingcomputer.com/news/security/signal-downplays-encryption-key-flaw-fixes-it-after-x-drama/\n\nhttps://github.com/signalapp/Signal-Desktop/pulls?q=is%3Apr+is%3Aclosed+safeStorage", "sig": "bf95347f2421757c06eef032ea2998cb0dc6a09c38c72ca57629ed5663e7f10268500d47847f522b87b59b1cefb60dff3200c5bdb11fdd451dffb9c2408676ec" }