Cybersecurity researcher John Jackson found that flaws in the app allow an attacker to view deleted attachments in messages.
During the experiment, it turned out that the Signal messenger saves all sent attachments in the C:\Users\foo\AppData\Roaming\Signal\attachments.noindex\*\ directory. If the user deletes an attachment from a chat, it is automatically removed from the directory. But if someone replied to a message with an attachment, then the deleted image remains in the catalog in clear text.
In other words, an attacker who can access these files will not even need to decrypt them. In addition, there is no regular cache cleaning in the folder, so undeleted files simply lie in this folder in unencrypted form.
Moreover, a cybercriminal can change the file stored in the cache. However, it will not be replaced automatically by the interlocutors, as each Signal Desktop client has its own local cache. If the victim, after replacing the file, sends the existing thread to other chats, then it will contain the already modified attachment, and not the original one.
By going to the "attachments.noindex" folder on the victim's machine, the hacker needs to make a copy of the file into which they can inject a malicious shellcode. Copying the PDF filename overwrites it with a malicious PDF that looks like the victim's original file. When sending the document, the victim will see the same file name and preview, but this PDF already contains malware.
The vulnerabilities have been assigned IDs CVE-2023-24068 and CVE-2023-24069. At the moment, the rating and additional information about the shortcomings is unknown.