When it comes to messaging apps, Signal is one of the most secure options around, but it turns out the service actually has a pretty big vulnerability if you’re using it on a Mac.
Your disappearing messages (you know, the ones that are supposed to self-destruct after a set amount of time) are actually, default, being stored on your Mac. Here’s what you need to know to make sure any sensitive information sent over Signal actually disappears like it’s supposed to.
What’s the issue?
It all boils down to the Notification Center on Mac. If you’re using Signal on your computer, each new message will come in as an alert that’s stored in the Notification Center, where both the content and sender’s name are clearly visible.
Somewhat surprisingly, that’s true even if the messages you’re receiving are supposed to self-destruct. Even after they disappear from the Signal app, they will still be visible in the Notification Center and elsewhere on your computer. The issue was initially spotted by security researcher Alec Muffett, who shared his findings on Twitter. After Motherboard noticed the tweet, Patrick Wardle (another Mac security researcher) dug a little deeper into Signal’s security flaw.
Lifehacker also reached out to Signal for comment but had not heard back at time of writing.
In a blog post, Wardle explains that hackers still need access to your computer (either remotely or physically) to see your Signal messages. So this isn’t an issue for most people, but if you’re actually using Signal to share sensitive or valuable information it could be a real problem. Thankfully, there’s an easy way to fix it.
To make sure your disappearing Signal messages actually disappear, just open the app on your Mac and head to preferences (click on Signal in the top right corner of the screen and that option should pop up). In the Notifications section select “Neither name nor message”. You can also pick “Only sender name” if you still want some useful info without revealing everything.
Screenshot: Jacob Kleinman
The next time you get a Signal notification on your Mac it won’t store any sensitive information on your computer. Unfortunately, that doesn’t solve the issue of “disappearing” messages already recorded by your Mac, and that’s where things get complicated.
Checking your database
With a little coding, Wardle found that all those self-destructing Signal messages are also saved on a database deep inside your Mac. Actually accessing that info is probably beyond most people’s skillsets (myself included), but if you’re up for the challenge you can follow along with Wardle (a professional Mac security researcher) right here.
To make things a little easier, he also set up a script that can scan your Mac and reveal all the notification data it’s hidden away. That way you’ll know there’s data worth deleting before you do the difficult work of actually wiping your database.
For most of us, though, simply making sure that any disappearing messages you receive in the future actually disappear should be more than enough to give you piece of mind.