The attachments should be encrypted at rest on the drive #2793
Description
- I have searched open and closed issues for duplicates
Bug description
The attachments should be encrypted at rest on the drive not just named something that isn't the original file name.
Because I was curious, I went looking. The attachments are stored on the file system not encrypted. This should be considered PII information and should therefore be encrypted at rest on the drive even when not in use. I would assume that this is also the same problem on the phone applications.
Steps to reproduce
- Send/Receive any attachment.
- Open AppData\Roaming\Signal\attachments.noindex and find attachements in sub directories.
- Click open with and guess the application (for me that was super easy open in hex editor to see the file type in the file)
Actual result:
View attachment that was sent through signal even if those are not your attachments but another users.
Expected result:
Files would be encrypted just the same as in the application thus do not render in any application outside of signal without selected to download the file to store it locally for that purpose.
Platform info
Signal Desktop for windows.
Signal version:
1.16.3
Operating System:
Windows 7, Windows 10
Linked device version:
Android 8.0.0