A Mac-specific vulnerability has been discovered in the secure messaging app Signal.

Signal allows you the option of sending ‘disappearing’ messages which are automatically purged from the app after a preset time. This feature is often used for passing on the most sensitive information, to ensure there is no permanent record afterwards. But a security researcher has discovered a serious failing specific to the Mac app …

Motherboard spotted a tweet from Alec Muffett in which he reported that disappearing messages were displayed in the Notification Center – and remained there after they expired in the app.

“If you are using the @signalapp desktop app for Mac, check your notifications bar; messages get copied there and they seem to persist — even if they are “disappearing” messages which have been deleted/expunged from the app.”

Motherboard confirmed this, with Muffett saying the bigger concern was where Notification Center content was stored on a Mac, and whether it created a permanent record.

Security researcher and ex-NSA hacker Patrick Wardle investigated and found that it does.

“Wardle explains and shows that the messaged end up in a SQLite database that is accessible with normal user permissions. That means any malware, hacker, or forensic expert who can bypass the full disk encryption, will be able to recover these messages even after they’re gone in the app, Wardle told me […]

“If I’m a nation state [hacking] group, I’m now going to code up a ‘grabSignalMessage’ plugin for my implants,” Wardle said.”

As the piece notes, it’s not a big concern for the average user, as reading the database would require physical or remote access to the Mac while logged-in, but it does create a vulnerability that shouldn’t exist.

You can prevent it happening in future by going into Signal’s preferences pane, selecting Notifications and then ‘Neither name nor message.’

Mac-specific vulnerability discovered with Signal’s self-destructing messages