Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Deleted Signal Messages Linger on macOS

Messages from the Signal desktop application for Mac are not deleted from the machine, but are instead copied to the notifications bar, where they persist, a security researcher warns.

Messages from the Signal desktop application for Mac are not deleted from the machine, but are instead copied to the notifications bar, where they persist, a security researcher warns.

The issue, discovered by Alec Muffett, impacts even disappearing messages, which remain in the operating system’s Notification Center.

Introduced in OSX 10.10 (Yosemite), Notification Center was designed to help users easily access details about their day and catch up on notifications they might have missed, and Signal uses it to alert on newly arrived messages. If the Signal application is not in the foreground, the notification is by default displayed at the top right corner of the screen.

The creation and posting of notifications to the Notification Center on macOS can be done in various manners, using the NSUserNotification class. After a few seconds, however, the operating system automatically dismisses notifications from the screen, if the user doesn’t interact with them.

The default type of notification is a ‘banner’ that gets dismissed after a few seconds, but developers can also specify the type ‘alert’ (by setting the ‘NSUserNotificationAlertStyle‘ key to ‘alert’), which is an interactive notification.

The Signal app, however, does not specify a ‘NSUserNotificationAlertStyle‘ style, meaning that it uses the default type of notification, a non-interactive ‘banner’ auto-dismissed by the OS.

As Objective-See’s Patrick Wardle points out, even if the application is in focus and the notification isn’t shown to the user, if the application invokes [NSUserNotificationCenter defaultUserNotificationCenter], the notification goes to the Notification Center.

Furthermore, the notification is not removed from the Notification Center, unless the type is ‘alert’ and the user interacts with it, the application explicitly dismisses it, or the user opens the Notification Center and clicks ‘x’.

Advertisement. Scroll to continue reading.

However, Signal’s disappearing messages may not disappear on macOS even if the application deletes them from the UI.

They may persist in the Notification Center because a message notification is posted there when the app is not in the foreground and because the OS automatically dismisses the notification ‘banner’, but leaves the actual notification (which contains the message contents) in the Notification Center.

What’s more, “Signal does not explicitly delete this notification when it deletes messages from the app UI,” the security researcher explains.

However, if the Signal application is in the foreground, no such notification is posted, meaning that the messages don’t end up in the Notification Center. Furthermore, the messages appear in the Notification Center truncated, because the notifications limit the amount of text being displayed.

Wardle also explains that, Signal messages that end up in the Notification Center can even be recovered after deletion, because notifications are stored on the disk in a SQLite database readable with user (non-root) permissions.

The database contains not only information on the applications that have posted notifications, but also the notifications themselves, along with their contents. Thus, the full text of Signal messages that arrived as notifications can be recovered from there, even if some messages were set to disappear.

“If the application wants the item to be removed from the Notification Center, it must ensure that the alert is dismissed by the user or programmatically! However, it is not clear that this also ‘expunges’ the notifications (and their contents) from the notification database… I’m guessing not! If this is the case, Signal may have to avoid generating notifications (containing the message body) for disappearing messages,” Wardle concludes.

Related: WhatsApp Co-founder Invests $50 Million in Signal

Related: Signal Announces Private Contact Discovery

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.