Deleted and yet not gone: Signal stores messages longer than expected

The encrypted messenger Signal is not as strict about deleting messages as expected, security researcher Harry Sintonen has found. He reported the problem to the responsible contacts and received no feedback for half a year. Now he is going public.

The Signal app uses an encrypted SQLite database to store all messages. It temporarily stores transactions, including scheduled deletions, in a so-called Write-Ahead Log, which is processed on certain occasions. If a user deletes a message in the Signal app (or uses its “disappearing messages” feature), the corresponding database entry is hidden from the app and marked for deletion in the Write-Ahead Log. According to Sintonen, it can take days, or even weeks for infrequently used Signal instances, until this deletion is executed and the message thus disappears from the device.

The encrypted SQLite database is a simple file. If the user regularly backs up the data of their Signal app, for example via the hourly backup with Apple's Time Machine, database files with actually deleted messages can find their way into a backup and remain there indefinitely. At least they are not in plain text: The SQLcipher database of the Signal app is encrypted. An attacker who wants to read messages would have to crack this encryption or steal the keys from the user. This is conceivable, for example, via an info-stealer, as Signal offers desktop apps for Linux, Windows, and macOS.

Risk usually not very high

For users who use Signal quite intensively, the risk that deleted messages will remain on the device for a long time is low. This is because the Write Ahead Log is processed and cleared after reaching a certain size. If you want to be sure that the deleted message is gone immediately, simply restart the app – this also processes the Write Ahead Log.

Possible attacks and data leaks are likely to be limited to the more open desktop operating systems – users of these should ensure that sensitive messages do not accidentally end up in a Time Machine backup. If you want to be completely on the safe side, ban the Signal app from your desktop computer and only use it on your smartphone.

Signal team ignores researcher

The publication was preceded by a six-month waiting period. Sintonen contacted Signal's security team as early as November 2025 but received no response. Contact attempts in April were also unsuccessful. After Signal remained inactive for 180 days, the security researcher decided to publish the vulnerability in an Advisory. It also contains a "Proof of Concept" with which the problem can be reproduced. A cute detail: The example message “KENSENTME” should be familiar to lovers of Sierra graphic adventures from the eighties.

The messenger Signal is currently the target of large-scale phishing campaigns, which have also victimized federal politicians. However, the "Signal affair" was not triggered by security vulnerabilities in the app, but by clever deception of the victims. Signal is now working on countermeasures.

(cku)