Quick reminder: In these hard times, when we focus on local vulnerabilities as @zoom_us had, @signalapp on Desktop still stores the encryption key in a plaintext file. So, any malicious app running with typical user permissions may decrypt your messages. 😅 1/x

9:04 PM · Apr 7, 2020

9
64
5
135
On macOS the encryption key is stored in the "~/Library/Application Support/Signal/config.json". On Windows AFAIK in the "%AppData%\Signal\config.json" 2/x
2
5
1
11
PoC on macOS 3/x
1
2
0
11
Is the key stored in plaintext on cellphones too? or just Signal for *Desktop*.
2
0
0
0
On Android and iOS apps are isolated and cannot read each other's data, so I think they're safe
2
0
0
4
On Debian, at least, it's stored in ~/.config/Signal . Had no idea!
0
0
0
1
That's painful 😶
0
0
0
0