A recent alert has caught the attention of WhatsApp users this week, with some security experts recommending that they delete their apps. While the same vulnerability also affects Signal, the large user base of WhatsApp makes it a significant concern. The issue primarily impacts Apple users utilizing the multi-device features of both messaging platforms. Although the main iOS apps for WhatsApp and Signal are considered secure, the macOS versions have been identified as major security risks.
This warning comes from researcher Tommy Mysk, renowned for uncovering such vulnerabilities. Mysk explains that when WhatsApp and Signal are installed on a Mac, they store their local data in a location accessible to any application or process run by the user. This includes chat histories—information that these apps are designed to protect with end-to-end encryption.
While this isn’t problematic in itself (Apple’s iMessage handles local data in a similar fashion), it is the handling of this data that raises concerns. Apple sandboxed iMessage data to prevent unauthorized access, but WhatsApp and Signal do not apply the same level of protection. Mysk warns that both macOS apps for Signal and WhatsApp store local data in accessible locations, making it vulnerable.
Endpoint compromise has always been a concern for fully encrypted platforms. Though transmission is considered secure, there are calls from law enforcement and security agencies for backdoors, as highlighted by Europe’s controversial “chat control” proposal. If someone gains physical access to an unlocked device, they can access everything. However, the real concern lies in remote access—potential unauthorized access from afar.
According to Mysk, WhatsApp fails to encrypt the local database where chat histories are stored, nor does it encrypt media attachments sent through chats. This oversight means that malware could potentially monitor this data and transmit it to a remote server, undermining end-to-end encryption. This vulnerability raises the question of whether it could enable ongoing remote attacks.
Signal’s issues are somewhat different. Although Signal does encrypt local chat histories, it does not encrypt media attachments. Furthermore, the encryption key for the local chat history is stored in plain text within the same folder, accessible to all applications. This undermines the security of the chat history. Additionally, if an attacker copies the entire folder containing the app’s local data to another Mac, they can restore the session. Signal’s servers permit the cloned session to coexist with legitimate ones, creating a potential backdoor.
The extent of this vulnerability is concerning. It suggests a risk of unauthorized, remote access to ongoing conversations, possibly allowing a hidden access point into your communications. Mysk’s tests revealed that Signal did not issue a warning about the existence of a cloned session, reinforcing fears of potential security lapses.
This situation revisits debates that have previously been addressed, such as criticisms from Elon Musk about Signal’s vulnerabilities. Mysk points out that the ease of cloning a Signal session from the desktop app has led some critics to suspect a “backdoor,” echoing Musk’s claims.
Given these findings, should you consider deleting or unlinking your desktop apps? The answer depends on your risk level. High-risk individuals—those in sensitive professions or locations—should avoid using desktop apps, as these vulnerabilities could potentially lead to significant data exposure. While physical access to a device is a known risk, the potential for remote exploitation highlighted here is substantial.
Mysk’s advice is straightforward: “Apps on iOS are strictly isolated, and no app can access the data of another app. Android has similar isolation technology. Even if mobile apps store their data in plain text within their sandbox, malicious apps are unlikely to access it. However, exploiting the local data of Signal or WhatsApp desktop apps compromises the entire account, including the companion mobile app. To be safe, unlink any desktop apps.”
Desktop companion apps for both messaging platforms serve as entry points into your account, with your smartphone app as the primary access point. Unlinking the desktop apps effectively removes their access and data. This process is akin to deleting the app itself and can be done through the settings on your phone’s app.
I have reached out to WhatsApp and Signal for comments on this issue. In the meantime, many security-conscious users may choose to halt the use of desktop apps until further details emerge. As with all security vulnerabilities, increased awareness can lead to both greater vigilance and a higher risk of exploitation.
Leave a comment