A mistake in the process used by the Signal Desktop application to encrypt locally stored messages leaves them wide open to an attacker.

The problem is that the encryption key is stored on the machine in a local plain text file. Any malware able to read unencrypted local files could obtain the key, and therefore decrypt the messages.

Researchers have developed a proof-of-concept side-channel attack that allows them to pull encryption keys from a single decryption for a modern version of OpenSSL.