Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Deleted Signal Messages Linger on macOS

Messages from the Signal desktop application for Mac are not deleted from the machine, but are instead copied to the notifications bar, where they persist, a security researcher warns.

Messages from the Signal desktop application for Mac are not deleted from the machine, but are instead copied to the notifications bar, where they persist, a security researcher warns.

The issue, discovered by Alec Muffett, impacts even disappearing messages, which remain in the operating system’s Notification Center.

Introduced in OSX 10.10 (Yosemite), Notification Center was designed to help users easily access details about their day and catch up on notifications they might have missed, and Signal uses it to alert on newly arrived messages. If the Signal application is not in the foreground, the notification is by default displayed at the top right corner of the screen.

The creation and posting of notifications to the Notification Center on macOS can be done in various manners, using the NSUserNotification class. After a few seconds, however, the operating system automatically dismisses notifications from the screen, if the user doesn’t interact with them.

The default type of notification is a ‘banner’ that gets dismissed after a few seconds, but developers can also specify the type ‘alert’ (by setting the ‘NSUserNotificationAlertStyle‘ key to ‘alert’), which is an interactive notification.

The Signal app, however, does not specify a ‘NSUserNotificationAlertStyle‘ style, meaning that it uses the default type of notification, a non-interactive ‘banner’ auto-dismissed by the OS.

As Objective-See’s Patrick Wardle points out, even if the application is in focus and the notification isn’t shown to the user, if the application invokes [NSUserNotificationCenter defaultUserNotificationCenter], the notification goes to the Notification Center.

Furthermore, the notification is not removed from the Notification Center, unless the type is ‘alert’ and the user interacts with it, the application explicitly dismisses it, or the user opens the Notification Center and clicks ‘x’.

Advertisement. Scroll to continue reading.

However, Signal’s disappearing messages may not disappear on macOS even if the application deletes them from the UI.

They may persist in the Notification Center because a message notification is posted there when the app is not in the foreground and because the OS automatically dismisses the notification ‘banner’, but leaves the actual notification (which contains the message contents) in the Notification Center.

What’s more, “Signal does not explicitly delete this notification when it deletes messages from the app UI,” the security researcher explains.

However, if the Signal application is in the foreground, no such notification is posted, meaning that the messages don’t end up in the Notification Center. Furthermore, the messages appear in the Notification Center truncated, because the notifications limit the amount of text being displayed.

Wardle also explains that, Signal messages that end up in the Notification Center can even be recovered after deletion, because notifications are stored on the disk in a SQLite database readable with user (non-root) permissions.

The database contains not only information on the applications that have posted notifications, but also the notifications themselves, along with their contents. Thus, the full text of Signal messages that arrived as notifications can be recovered from there, even if some messages were set to disappear.

“If the application wants the item to be removed from the Notification Center, it must ensure that the alert is dismissed by the user or programmatically! However, it is not clear that this also ‘expunges’ the notifications (and their contents) from the notification database… I’m guessing not! If this is the case, Signal may have to avoid generating notifications (containing the message body) for disappearing messages,” Wardle concludes.

Related: WhatsApp Co-founder Invests $50 Million in Signal

Related: Signal Announces Private Contact Discovery

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.