MyHackerNews

Signal Desktop App Vulnerability Allows Encrypted Data to Be Out In the Open

Signal DesktopApp Vulnerability Allows Encrypted Data to Be Out In the Open. It has been recently discovered that an application by the name of “Signal Desktop” has been habitually making procedural errors that have led to the compromise of locally stored data, exposing said data to the dark cyber network.

 

 

Once signal desktop is installed, an encrypted SQLite database that is presented as “db sqlite” is also immediately installed along with it, and with it observes an instant and autonomous generation of an encryption key that works the database.

 

 Said created encryption key is essential for the opening up of the database each time it is required and because of this, it is saved on general devices in the same standard text format in the location of a local file named %AppData%\signal\config.json. This database key is easily obtainable by third party and can be seen and referred to quite effortlessly.

 

https://twitter.com/nathanielrsuchy/status/1054720111330951168/photo/1

This issue concerning data compromise with the Signal Desktop application, was uncovered by a researcher who was convinced that this procedural glitch made to expose a user’s entire confidential database, giving easy access to malware and cyber attackers if they ever gained access to the device, using the opportunity to exploit.

 

Researchers have further stated that all encryptions should be done employing extreme security measures and dexterity.

See:

 

In a situation where the installation of the signal desktop application occurs before the config.json file is opened to retrieve the encryption key, the program spontaneously redirects users to submit their decryption key.

 

 

Immediately the key is submitted to the config.json file, the full database gets compromised, leaving it out in the open for external parties to access. The use of encryption to safeguard a user’s personal information is quite the gain right until the glitch in its procedure causes a downward spiral, and confidential data gets exposed

 

The problem could be easily controlled if users are required to key in a password for the encryption key generation instead of the autonomous method of encryption key generation.

 

This method of a user-generated encryption key, which makes for only the user having access to the generated key is already a widespread practice.  The only hitch that has been observed with this method of encryption key generation is that in the situation in which a user forgets or loses his or her password, the data would be lost to him or her forever.

 

 

The proprietors of Signal Desktop have yet to release any statements regarding the issue.

Get real time updates directly on you device, subscribe now.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More