A falha afeta o processo de cifra implementado pelo Signal Desktop para guardar as mensagens armazenadas localmente.
A aplicação Signal Desktop usa uma BD SQLite cifrada chamada db.sqlite para armazenar as mensagens do utilizador. A chave de cifra da BD é gerada pela app durante a fase de instalação.
A chave é armazenada em texto simples n um ficheiro local chamado %AppData%\Signal\config.json em PCs com Windows. No Mac é guardada em em ~/Library/Application Support/Signal/config.json.
A chave de cifra é usada sempre que a app acede à BD.
“To illustrate this problem, BleepingComputer installed the Signal Desktop application and sent a few testmessages. First we opened our config.json file to retrieve the encryption key, which is shown above.” read a blog post published by Bleeping Computer.
“We then opened the database located at %AppData%\Roaming\Signal\sql\db.sqlite using a program called SQLite Database Browser.”
Ao digitar a chave, os especialistas do Bleeping Computer conseguiram ler o conteúdo da BD.
O problema pode ser facilmente resolvido exigindo que os utilizadores definam uma password que seria usada para cifrar a chave de cifra da BD.
“This would be easily mitigated by requiring users to set a password and using that password to encrypt the key” Suchy told Bleeping Computer.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.