{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/notification/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Signal"],"_cs_severities":["medium"],"_cs_tags":["macos","signal","notification","privacy","credential-access"],"_cs_type":"advisory","_cs_vendors":["Apple","Whisper Systems"],"content_html":"\u003cp\u003eA vulnerability exists in the macOS implementation of the Signal messaging application, where \u0026lsquo;disappearing\u0026rsquo; messages may persist in the macOS Notification Center database even after being deleted from the Signal application\u0026rsquo;s user interface. This occurs because Signal posts message content to the Notification Center as a banner notification when the app is not in the foreground. While the OS automatically dismisses these banners, the underlying notification data, including message content, remains stored in an unencrypted SQLite database. This issue affects users of Signal on macOS who rely on the disappearing message feature for privacy. The vulnerability was publicly disclosed in May 2018 by Objective-See.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user receives a message in the Signal application on macOS.\u003c/li\u003e\n\u003cli\u003eIf the Signal application is not in the foreground, the message content is displayed as a banner notification via the macOS Notification Center.\u003c/li\u003e\n\u003cli\u003eThe macOS operating system automatically dismisses the banner notification after a few seconds.\u003c/li\u003e\n\u003cli\u003eThe notification data, including the message content, is stored in an SQLite database located at \u003ccode\u003e/private/var/folders/l8/.../com.apple.notificationcenter/db2/db\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe user deletes the message from within the Signal application, triggering its removal from the application\u0026rsquo;s UI.\u003c/li\u003e\n\u003cli\u003eThe Signal application does not explicitly remove the corresponding notification from the macOS Notification Center database.\u003c/li\u003e\n\u003cli\u003eAn attacker with local access to the macOS system can access the unencrypted SQLite database.\u003c/li\u003e\n\u003cli\u003eThe attacker can extract and read the contents of the \u0026lsquo;disappearing\u0026rsquo; messages from the database, bypassing Signal\u0026rsquo;s intended privacy feature.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker with local access to a macOS system to recover and read \u0026lsquo;disappearing\u0026rsquo; messages from the Signal application, even after they have been deleted within the application. This compromises the confidentiality of sensitive communications intended to be ephemeral, potentially impacting a large number of Signal users on macOS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to monitor processes accessing the SQLite database \u003ccode\u003e/private/var/folders/l8/.../com.apple.notificationcenter/db2/db\u003c/code\u003e using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eDisable notifications within the Signal application to prevent message content from being stored in the Notification Center database.\u003c/li\u003e\n\u003cli\u003eConsider implementing disk encryption to protect the entire file system, including the Notification Center database.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-signal-notification-leak/","summary":"macOS stores Signal message notifications in an unencrypted SQLite database, potentially exposing 'disappearing' messages even after they are deleted from the Signal application.","title":"Signal 'Disappearing' Messages Persist in macOS Notification Center","url":"https://feed.craftedsignal.io/briefs/2024-01-signal-notification-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — Notification","version":"https://jsonfeed.org/version/1.1"}