Encrypted chat app Signal's disappearing messages may not actually vanish on Apple Macs, thanks to the way the encrypted messaging software interacts with the macOS Notification Center.
On Tuesday, security researcher Alec Muffett noted: "If you are using the @signalapp desktop app for Mac, check your notifications bar; messages get copied there and they seem to persist – even if they are 'disappearing' messages which have been deleted/expunged from the app."
The issue was identified on macOS 10.13.4, the latest operating system release, using Signal 1.9.0, the app's latest macOS release. Signal for iOS does not appear to be affected.
Not all disappearing messages get stored, as Patrick Wardle, chief security researcher of R&D at Synack, explains in a post on his personal blog.
The macOS Notification Center shows notifications sent by installed apps. Apple offers developers several types of notifications. The default "banner" style shows the message sent by the app and disappears after a few seconds.
An alternate style, "alert," which requires manual dismissal, can be set by entering "alert" as the value for the Info.plist key NSUserNotificationAlertStyle. According to Wardle, Signal does not specify a notification type so it defaults to "banner."
When apps issue notifications, they don't go away automatically. If they're an "alert" type, they have to be dismissed by the user. Also, the application itself can issue a removal call or the user can open the Notification Center and dismiss the message there.
When Signal is being used actively, no notifications are sent. But when Signal is operating in the background and posts a message notification – which includes message content – the operating system dismisses the 'banner' type from the screen but the notification data remains in the Notification Center.
For a privacy-oriented app, that's a problem because messages that were supposed to disappear can still be found. The fix is simple enough: Wardle recommends disabling notifications for Signal through the macOS Settings menu.
The Register asked Open Whisper Systems, the maker of Signal, for comment but we've not heard back. ®
- Black Hat
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Identity Theft
- Microsoft 365
- Microsoft Office
- Microsoft Teams
- Palo Alto Networks
- Visual Studio
- Visual Studio Code
- Web Browser