Mysk🇨🇦🇩🇪
TL;DR: Don't install @signalapp for macOS, it is not secure.
I carried out this small experiment:
- I wrote a simple Python script that copies the directory of Signal's local storage to another location (to mimic a malicious script or app)
- I ran the script in the Terminal and got a copy of my Signal data on my Mac
- I booted a fresh macOS installation in a virtual machine
...🧵
Mysk🇨🇦🇩🇪
…
Perhaps this flaw is what makes some users think that Signal has a "backdoor" as it is easy for sophisticated attackers to target a victim who's using the Mac app and see their chats. (The same may be also true for the Windows app)
Kuba Orlik
@mysk i keep wondering: isnit surprising? Do other apps handle.that better? What should an app do to prevent that sort of attack? You copied the private keys so the other machine can decrypt the same thing as the original machine
Mysk🇨🇦🇩🇪
…
- I transferred the copy of Signal's data to the VM and placed it where Signal expects it: ~/Library/Application\ Support/Signal
- I installed Signal and started it
- Signal started and restored my session with all the chat histories 😳
- I exchanged a couple messages with a contact from the VM and it worked 😳
- Then, I started Signal on the Mac
- I got three sessions running in unison: Mac, iPhone, and VM 😳
…🧵
Mysk🇨🇦🇩🇪
…
Messages were either delivered to the Mac or to the VM. The iPhone received all messages. All of the three sessions were live and valid. Signal didn't warn me of the existence of the third session [that I cloned]. Moreover, Signal on the iPhone still shows one linked device. This is particularly dangerous because any malicious script can do the same to seize a session.
…🧵
076萌SNS is a social network, courtesy of 076. It runs on GNU social, version 2.0.2-beta0, available under the GNU Affero General Public License.
All 076萌SNS content and data are available under the Creative Commons Attribution 3.0 license.