Your Mac might be storing your ‘deleted’ Signal messages

Depending on your notifications settings, message content could be recovered.

One of Signal's major draws is the fact that it automatically deletes your messages. But though it may be wiping your conversations, it turns out your Mac probably isn't, Motherboard reports. Security researcher Alec Muffett tweeted about the problem this week and the issue lies with how the computers manage notifications. Depending on your settings, the macOS Notification Center might display and retain your recent messages, including the name of who sent them and what they said.

Security researcher Patrick Wardle described the problem in some detail in a blog post. He showed that those messages are also stored elsewhere in your computer, in an SQLite database, and that with just a little bit of effort, all of the Signal-deleted messages that ended up in the Notification Center can be recovered. And that means someone else can get to those messages too, negating one of the main reasons to use Signal in the first place. "This is definitely less than ideal," Wardle told Motherboard. "We set messages to disappear with the expectation that they will go poof. Often such messages are very sensitive and would be ruinous if they well in the wrong hands." He added, "If I'm a nation state [hacking] group, I'm now going to code up a 'grabSignalMessage' plugin for my implants."

Wardle noted in his post that the problem may not extend to your iPhone, as it appears messages are removed from the iOS Notification Center. But he warns it's worth looking into whether iOS stores notifications in a similar way as macOS.

To fix the problem on your Mac going forward, pop into the Signal desktop app's preferences and then the "Notifications" section. There you have the option of managing what information is included in a message notification or disabling notifications altogether. Previously stored messages still remain, however, so you'll have to clear the database that stores them or get rid of it completely, though at your own risk, Wardle writes.