mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

380K
active users

TL;DR: Don't install @signalapp for macOS, it is not secure.

I carried out this small experiment:

- I wrote a simple Python script that copies the directory of Signal's local storage to another location (to mimic a malicious script or app)
- I ran the script in the Terminal and got a copy of my Signal data on my Mac
- I booted a fresh macOS installation in a virtual machine

...🧵

- I transferred the copy of Signal's data to the VM and placed it where Signal expects it: ~/Library/Application\ Support/Signal
- I installed Signal and started it
- Signal started and restored my session with all the chat histories 😳
- I exchanged a couple messages with a contact from the VM and it worked 😳
- Then, I started Signal on the Mac
- I got three sessions running in unison: Mac, iPhone, and VM 😳

🧵

Messages were either delivered to the Mac or to the VM. The iPhone received all messages. All of the three sessions were live and valid. Signal didn't warn me of the existence of the third session [that I cloned]. Moreover, Signal on the iPhone still shows one linked device. This is particularly dangerous because any malicious script can do the same to seize a session.

🧵

Mysk🇨🇦🇩🇪

Perhaps this flaw is what makes some users think that Signal has a "backdoor" as it is easy for sophisticated attackers to target a victim who's using the Mac app and see their chats. (The same may be also true for the Windows app)

@mysk signal has to decrypt the messages to display them, how else do you expect this to work?

@joel @mysk I have no idea about macOS, does that allow to do the entire encryption of messages and attachments in a way that the key is inaccessible to other applications?

@shadowwwind @mysk Yes, applications could do this with the keychain integrated in the operating system. See here: developer.apple.com/documentat

Additionally macOS has some protections for this in the latest versions and will add some more in the next version. Signal does not use either at the moment: infosec.exchange/@jjtech/11273

Apple Developer DocumentationKeychain services | Apple Developer DocumentationSecurely store small chunks of data on behalf of the user.

@mysk If you 'solve' this problem by putting the crypto in the hardware or operating system all you do is have to trust Apple or Microsoft or whoever and it isn't scrutable.

@mikarv @mysk Trust has to start somewhere at some level?

@st3fan @mysk with open auditability or with proprietary hope and see, based in a jurisdiction where operating systems can be changed by a court and disclosing that will lead to prison time

@mysk

It's true for all their desktop apps, they use the same codebase across all of them.

@mysk i keep wondering: is it surprising? Do other apps handle.that better? What should an app do to prevent that sort of attack? You copied the private keys so the other machine can decrypt the same thing as the original machine

@kuba @mysk Sandboxing the Signal app would prevent other apps without admin rights from copying their data without a big warning dialog by the system.