Telegram is currently addressing a long-standing security flaw in its desktop app. According to reports from BleepingComputer, Signal’s Desktop app on Windows and Mac creates an SQLite database upon installation, and this database’s encryption key is stored locally as a plain text file. This vulnerability means that anyone with access to the machine can easily retrieve the key.
Signal, a widely respected encrypted chat application, is known for its strong end-to-end encryption system. It is frequently used as the primary communication platform by many individuals and is even utilized by programs like WhatsApp. While Signal’s security on mobile devices is commendable, the same cannot be said for its desktop version.
Interestingly, this security issue with Signal’s desktop app has been present for several years. BleepingComputer first reported on it back in 2018. During that time, Signal responded to user concerns on its forums by stating that the database key was never intended to be kept secret. Signal’s President, Meredith Whitaker, explained in a post on X that the reported issues relied on an attacker already having full access to the device, either physically or through malware or a malicious application. Therefore, Signal believed that it was not solely responsible for protecting against such threats.
However, the question arises as to why this vulnerability is gaining attention now. The answer lies in the involvement of high-profile figures, the right-wing culture war, and Telegram. Telegram is a popular messaging app, particularly in regions like Europe, Russia, and the Middle East. Unlike Signal, it does not offer end-to-end encryption by default, and it has been known to harbor malware, scams, and violent content.
On May 8, Pavel Durov, the CEO of Telegram, accused Signal of being an agent of the U.S. government in a post on his app. He claimed that the encryption used by Signal was developed with a $3 million investment from the U.S. government and is now implemented in various other messaging apps. Durov insinuated that big tech companies in the U.S. are not allowed to develop independent encryption protocols free from government influence. His statement was a response to a report by right-wing provocateur Chris Ruffo, who criticized Signal’s relationship with NPR CEO Katherine Maher.
These allegations caught the attention of Elon Musk, who also commented on Signal’s vulnerabilities mentioned in Ruffo’s report. Musk highlighted that no communication platform can claim absolute security, but each platform has different levels of vulnerability. Matthew Green, a security researcher from Johns Hopkins University, confirmed the reliability of Signal Protocol, the encryption underlying Signal, by stating that it has been thoroughly reviewed by cryptographers and is considered the gold standard in cryptography.
In response to the security concerns, a Signal engineer mentioned on GitHub that the plan is to adopt the Electron safeStorage API. This API would leverage the operating systems’ built-in cryptography systems to provide an additional layer of protection to the JSON file where the key is stored. The engineer explained that this change is significant and will require extensive testing before being rolled out in an upcoming beta release and eventually implemented in production.
Gizmodo reached out to Signal for comment but did not receive a response. The timing of this security flaw is notable considering the recent security breach at AT&T, where hackers gained access to customer data. This incident serves as a reminder that security concerns surrounding our devices are of utmost importance in today’s digital landscape.
In conclusion, addressing the security flaw in Signal’s desktop app is crucial for maintaining user trust and ensuring the platform’s security. With the upcoming implementation of the Electron safeStorage API, Signal aims to bolster its encryption and provide users with an additional layer of protection. As we navigate an increasingly interconnected world, it is vital to remain vigilant and prioritize security measures to safeguard our personal information.
Source link
