Signal's desktop app stores encryption keys for chat history in plaintext, making them accessible to any process on the system
Researchers were able to clone a user's entire Signal session by copying the local storage directory, allowing them to access the chat history on a separate device
This issue was previously highlighted in 2018, but Signal has not addressed it, stating that at-rest encryption is not something the desktop app currently provides
Some argue this is not a major issue for the "average user", as other apps also have similar security shortcomings, and users concerned about security should take more extreme measures
However, others believe this is a significant security flaw that undermines Signal's core promise of end-to-end encryption
A pull request was made in April 2023 to implement Electron's safeStorage API to address this problem, but there has been no follow-up from Signal
If the keys are accessible to any process, your system doesn’t need to be compromised. All it takes is an App that you”trust” to break that trust and snatch everything up. Meta has already been caught fucking around with other social media apps on device. They even intercepted Snapchat traffic on some users devices in order to collect that data. It could be as simple as you installed WhatsApp and they went and pillaged your Signal files.
For sure, just suggesting that “compromised” doesn’t necessarily mean you got hacked by someone because they tricked you into giving a password, or they scraped it from another website, or you installed something sketchy. It could be as simple as Microsoft scans all your files with AI, or Meta snoops other social media (which it has been caught doing).
"checking" does not prevent anything bad from happening. and if that file were read by a malicious actor, it would likely be immediate and you'd never even notice.