Post AjkFlxUn0edP2N19Oa by mysk@mastodon.social
(DIR) More posts by mysk@mastodon.social
(DIR) Post #AjkFlwkLnJUIiLI40m by mysk@mastodon.social
2024-07-05T19:22:33Z
0 likes, 0 repeats
TL;DR: Don't install @signalapp for macOS, it is not secure.I carried out this small experiment:- I wrote a simple Python script that copies the directory of Signal's local storage to another location (to mimic a malicious script or app)- I ran the script in the Terminal and got a copy of my Signal data on my Mac- I booted a fresh macOS installation in a virtual machine...🧵#privacy #security #macos #PrivactMatters #infosec
(DIR) Post #AjkFlxUn0edP2N19Oa by mysk@mastodon.social
2024-07-05T19:23:48Z
0 likes, 0 repeats
…- I transferred the copy of Signal's data to the VM and placed it where Signal expects it: ~/Library/Application\ Support/Signal- I installed Signal and started it- Signal started and restored my session with all the chat histories 😳- I exchanged a couple messages with a contact from the VM and it worked 😳- Then, I started Signal on the Mac- I got three sessions running in unison: Mac, iPhone, and VM 😳…🧵
(DIR) Post #AjkFlxg8KThzbYKD4q by mysk@mastodon.social
2024-07-05T19:26:39Z
0 likes, 0 repeats
…Messages were either delivered to the Mac or to the VM. The iPhone received all messages. All of the three sessions were live and valid. Signal didn't warn me of the existence of the third session [that I cloned]. Moreover, Signal on the iPhone still shows one linked device. This is particularly dangerous because any malicious script can do the same to seize a session. …🧵
(DIR) Post #AjkFlyhEXsBOlFqbQm by mysk@mastodon.social
2024-07-05T19:27:20Z
0 likes, 0 repeats
… Perhaps this flaw is what makes some users think that Signal has a "backdoor" as it is easy for sophisticated attackers to target a victim who's using the Mac app and see their chats. (The same may be also true for the Windows app)#privacy #security
(DIR) Post #AjkFmE6bFqO0YGpZYG by delosmzp@mastodon.social
2024-07-05T19:33:21Z
0 likes, 0 repeats
@mysk Please correct me if I’m wrong but wouldn’t all this require physical access with the right credentials for the computer and account by a sophisticated attacker? @signalapp @Mer__edith please address this.
(DIR) Post #AjkFmF8lPHi9lGqoYy by st3fan@mastodon.social
2024-07-06T13:17:40Z
0 likes, 0 repeats
@delosmzp @mysk @signalapp @Mer__edith Physical Access or Malware or any RCE or any kind of (maliciously modified) software that you run localy.
(DIR) Post #AjkFmFQqK4AmfLJFk8 by delosmzp@mastodon.social
2024-07-05T19:33:57Z
0 likes, 0 repeats
@mysk Also, thank you for doing this and writing about it.
(DIR) Post #AjkFmFhrInmfW7GqGW by mischa@exquisite.social
2024-07-08T14:27:51Z
1 likes, 0 repeats
@st3fan @delosmzp @mysk @signalapp @Mer__edith at that point signal is the least of my worries.
(DIR) Post #AjkFwTNvIiY6psosDI by kasperd@westergaard.social
2024-07-06T22:46:27.518204Z
1 likes, 0 repeats
So copying all of the data gets you a copy of the data, and you regard that as a vulnerability? And you are concerned that running a script as your user can do what your user can do?All of this sounds as expected. No application can be any more secure than the environment you run it in.The protocol could of course have been designed in such a way that some of the keys used are one-time keys. That could have exposed such cloning. But that would add complexity and potentially make backups of your data useless.