Signal, the privacy-focused voice and text-messaging application, offers an attractive bit of operational security: ephemeral text messages that "self-delete" after a predetermined amount of time. There is just one small problem, however, with that feature on the Mac desktop version of the application, as information security consultant Alec Muffett discovered: if you send a self-deleting message to someone using the macOS application, the message lives on in macOS' Notifications history.

#HEADSUP: #Security Issue in #Signal. If you are using the @signalapp desktop app for Mac, check your notifications bar; messages get copied there and they seem to persist — even if they are "disappearing" messages which have been deleted/expunged from the app. pic.twitter.com/CVVi7rfLoY — Alec Muffett (@AlecMuffett) May 8, 2018

Ars reproduced the problem, which Patrick Wardle of Objective See conducted a particularly deep dive on—revealing that the problem is, in part, a bug in the way Signal handles calls to the macOS notification system and, in part, is just how macOS notifications work.









If you've turned notifications off for Signal or limited the amount of information that gets pushed to Notifications through Signal's settings, this is not a problem; if you have not, you'll likely want to change your settings for now until a future version of Signal fixes the issue.

Because Signal does not provide any guidance to Notifications on how to handle the messages once they've been seen, macOS does not automatically delete notifications—even after their time has expired. In fact, the messages are retrievable from a non-encrypted, user-readable SQLite database in macOS' hidden /private directory, which stores each Mac user's notifications. While the messages are stored in hexadecimal format as a binary property list (plist), the data can easily be converted back to plain text. And voilà, your friend's self-deleting message is recovered.

Again, all of this can easily be mitigated by simply changing the notification settings for Signal or using full-disk encryption to make sure no one can gain access to your hard drive to retrieve the SQLite files without your password. But there's nothing on the sender's end that guarantees that will happen—so as always, send your ephemeral messages with care.