signalapp

#Signalapp doesn't actually delete messages when they're deleted (either manually or by automation). The message deletion is written to Write-ahead Log, and the data is only truly deleted once Signal is restarted or threshold of 1000 pages is reached. For macOS Signal application, extra complication arises from the fact that the signal message database can be backed up before the database consolidation occurs. Large amount of the supposedly already deleted messages could be recovered from the device or backups.

This concerns use cases where deleting messages actually getting removed in timely manner is of high importance and recovery of the deleted messages could lead to grave consequences.

TL;DR: If you don't care about deleted messages being actually deleted you don't need to worry.

Full advisory at: https://sintonen.fi/advisories/signal-deleted-but-not-forgotten.txt

#fulldisclosure #infosec #cybersecurity

All my attempts to communicate a vulnerability in #Signalapp have failed - I have not received any response to my multiple messages to them. Good people have tried to forward my concern to them (and I am thankful for your efforts and help), yet this has been to no avail.

I am disappointed in the lack of communication from Signal. I will be disclosing the full details of the issue later today (with end-user mitigations), after the six-month anniversary of the initial report.