A researcher is warning users of the Signal secure messaging application that photos and video files shared in Signal chats may be hanging around on their devices unencrypted, even after the messages in which the images were shared have been deleted, putting users at risk. Signal contests the claim and says the researcher is needlessly sowing fear and alarm.
Researcher John Jackson (@johnjhacking) warned in a Twitter post on Saturday that the Signal secure messaging application doesn’t encrypt images shared in chat messages when they are stored locally, and that those images may linger on devices for weeks or months. That could put Signal users at risk, should their device be seized – for example: by police or government officials in authoritarian states, Jackson warned.
1/Just found a couple of 0days in Signal. Very similar to the Keybase ones that were disclosed in the past. Check it out, unpatched. In the first photo, I send a photo attachment in a signal chat, with “this will be my PoC”. pic.twitter.com/K7DWDOFmu3
— John Jackson (@johnjhacking) January 21, 2023 Twitter message from John Jackson
Signal is an encrypted instant messaging application that can be used across different platforms including Windows, Mac, iOs and Android. It is developed as open source software by The Signal Foundation and allows users to send one-to-one or group texts, share files, video and images or engage in group chats. The app users standard cellular telephone numbers as identifiers and secures all communications to other Signal users