Researchers Discover Flaw in Signal’s Disappearing Messages Related to Mac Notification Center

Signal's Mac app displays recently received messages in the Notification Center on macOS, and this feature could compromise a user's disappearing private messages, as discovered by security researcher Alec Muffett and reported by Motherboard.

One of Signal's main advantages is its ability to send disappearing messages, so that after a predetermined amount of time the message is deleted from the app.

Muffett pointed out on Twitter this week that Signal's default Mac app settings somewhat defy this security measure due to the way Macs handle notifications. So, even if you send a self-destructing message within the Signal app, the messages remain on the recipient's Mac Notification Center, displaying your name and message details. Muffett was running macOS 10.13.4 and Signal version 1.9.0.



Mac security researcher Patrick Wardle then investigated the issue further, discovering that the "deleted" Signal messages that remain in the Notification Center are saved on the Mac's disk inside the operating system. While this is true of any app that displays notifications, it's particularly troublesome for Signal users in need of high-level security, like government workers or journalists.

Any malicious third parties would still need to get their hands on your Mac to get into your message history, so as Motherboard pointed out, "this is not a major threat for most people." Still, this could be a major security risk for high-level Signal users, since this means that any disappearing messages that popped up in Notification Center can be recovered later, "even after they are gone within the Signal app."

Wardle summed up his findings:
In short, anything that gets displayed as a notification (yes, including 'disappearing' Signal messages) in the macOS Notification Center, is recorded by the OS.

If the application wants the item to be removed from the Notification Center, it must ensure that the alert is dismissed by the user or programmatically! However, it is not clear that this also 'expunges' the notifications (and the their contents) from the notification database...i'm guessing not! If this is the case, Signal may have to avoid generating notifications (containing the message body) for disappearing messages...
Wardle said that Signal's iOS app does not appear to have a similar issue at this time, although the app "should be investigated." Of course, any Signal Mac user who is worried about potential privacy risks can navigate to Signal's Preferences menu on the top-left corner of the screen when the app is open, click Notifications, and "Disable notifications."

Tag: Signal

Discuss this article in our forums

End-to-End Encryption Comes to Skype Through Signal Partnership

Microsoft is testing a new "Private Conversations" feature in Skype, which is being introduced through a partnership with Signal.

Skype is using the Signal Protocol for the feature, allowing users to take advantage of strong end-to-end encryption for more secure communications.


Private Conversations are available for one-on-one conversations on Skype, with users able to initiate a private conversation by tapping on the "+" icon and then selecting "New Private Conversation." Once a conversation is initiated, it will be available only on the specific device where it was started.

Microsoft says Private Conversations offer several unique features:

  • A Private Conversation will have a lock icon next to your contact's name.

  • Preview messages from Private Conversations will not show in Chats or notifications.

  • Private Conversation capabilities are limited. You cannot edit a message or forward a file. From the chat window, only emoticons, files and audio messages are available to send.

  • Private Conversations are specific to a device. A new invitation must be sent and accepted, to change to another device.


Private Conversations are available today in a preview capacity for Skype Insiders, Microsoft's beta testing program for Skype.


Discuss this article in our forums

Signal Encrypted Messenger 2.19 Update Finally Available Following App Store Hiccup

Encrypted messaging app Signal pushed out its v2.19 update late on Friday after a post-release 48-hour delay, owing to an App Store issue that Apple has now resolved. The update includes a number of new features and improvements, including full UI display support for iPhone X.

After the update is applied, users will no longer see the "Load Earlier Messages" link within chat threads, because additional messages now appear automatically upon scrolling to the top of a conversation.


In other improvements, a new simplified interface has been introduced to the Signal mobile app that aims to make sending photos, files, and GIFs easier and quicker. For example, attachment previews are now displayed directly in the message bar instead of on a separate confirmation screen.

Adopting a design concept popularized by Facebook Messenger known as "Jumbomoji", emoji characters are now also visibly larger in Signal chat bubbles that don't contain any other text. Elsewhere, messages that fail to send have been made easier to spot and re-send, while a new "Tap for More" option should make navigating extremely long messages a more pleasant experience.

The list of supported languages has also been expanded to include Burmese, Hebrew, and Persian, while users with an external keyboard linked to their device can now make use of new key combination shortcuts for sending messages (Shift + Enter, and Command + Enter).

Apart from the above changes, Open Whisper Systems has revamped the layout code to improve performance and flexibility, so everything should feel smoother and more refined, according to the developers. Lastly, a number of bugs have been fixed, including one where recently sent messages sometimes reappeared after being deleted.

Signal Private Messenger is a free download [Direct Link] for iPhone and iPad available on the App Store.


Discuss this article in our forums