[Desktop] unencrypted files on local storage [Security / Privacy]

[ghost]

version 3.3.2872 - desktop

wire keeps unencrypted files (like images for example and other files in plain text) in cache folder and other locations on local storage even if the user deleted the messages in the conversation itself and logged off from wire.

[ghost]

a related issue has been found in signal messenger but has been patched
signalapp/Signal-Desktop#2815

[ghost]

https://latesthackingnews.com/2018/10/25/upgrading-to-signal-desktop-app-from-chrome-extension-leaves-your-messages-unencrypted/

[raphaelrobert]

The Wire Desktop app does not additionally encrypt files locally. We think that the first line of defense should be full disk encryption, as that is the most comprehensive encryption of local data and we recommend that in our Security Whitepaper.
That is not to say we won't add additional encryption for local data, but it is something that by design does not comprehensively address all attack vectors.

[ghost]

@raphaelrobert So if the device is not encrypted and the user deleted the messages in the conversation then the user is required to delete the files locally as well?

How is this supposed to be done and which files need to be cleared then?

I havent tested this on other wire versions or platforms but will do. I hope this issue is addressed because it can lead to hijacking the app then breaking its whole purpose.

This issue can be used in a multitude of ways in case a device has been compromised besides numerous potentials for exploits.

I guess I did the right thing by reporting this and trying to give the devs a heads-up.

[raphaelrobert]

Is this a feature request or a bug report?
If it's the latter, could you provide some more information and also some steps to reproduce the bug? The devs can then look into it.

[ghost]

@raphaelrobert
This is a flaw -to be more precise- that can be resolved by a locking mechanism, sandboxing, local encryption, privilege handling etc to prevent other apps from accessing these cleartext files for example, which is part of how wire behaves on the device its installed on and how it handles possible data leakage and protection of personally sensitive files.

Further, as mentioned in OP wire does not attempt to delete all local content of what a user deletes in the app. To reproduce, simply start a conversation on wire app on any platform then send a text, a video (youtube), a picture and an attachment (basically any type of data that can be sent by wire) then delete them and log off. Go check cache folder (and other wire local folders) to see remnants of the above.

So basically if wire doesnt locally delete the deleted content it should at the very least store them in encrypted form and inform the user about this then the user can choose whether they want a local archive of everything they sent/received over wire or not.

[ghost]

Oh, and of course the same should be investigated on the recipient's device to find what happens to local files if the sender deletes messages (using: delete for all).

[baimafeima]

While you are about to address the Manning bug, please also look at the other security flaws listed below. Quoted from Privacy Handbuch (https://www.privacy-handbuch.de/handbuch_74.htm)

Ich habe mir den Linux Client von Wire kurz angeschaut und teilweise erhebliche Sicherheitsmängel gefunden (Stand: Okt. 2017): Die verschlüsselt übertragenen Chats werden unverschlüsselt im Log gespeichert (Das ist als "Mannings-Bug" bekannt geworden.) Das unverschlüsselte Logging der verschlüsselten Kommunikation kann nicht deaktiviert werden - Epic Fail.

Die Login Credential für die Wire Accounts (Uername, Passwort) werden auf dem Computer unverschlüsselt gespeichert, auch diese Speicherung kann nicht deaktiviert und durch Passworteingabe beim Starten ersetzt werden.

Updates für den Javascript Code werden beim Start automatisch aus der Amazon Cloud nachgeladen und ungefragt ausgeführt. Damit könnte durch gezielte Manipulation die Verschlüsselung kompromittiert werden. (Remote Code Execution ist ein Bug und kein sinnvolles Feature.)

Die HTTPS-Verschlüsselung zu den Wire-Servern in der Amazone Cloud entspricht nicht den Vorgaben des BSI oder IETF an sichere TLS-Verschlüsselung. Außerdem werden keine Sicherheitsfeatures wie OCSP.Stabling, DNSSEC, DANE/TLSA und HKPS genutzt.

Der Linux Client kontaktiert ungefragt externe Server wie maps.google.com und images.usplash.org die nicht unter Kontrolle von Wire.com stehen.

Außerdem speichert der Wire Server die Metadaten jeder Kommunikation unverschlüsselt in einer Datenbank. Diese Vorratsdatenspeicherung wird in der Datenschutzpolicy nicht klar benannt.

//
Please contact Privacy Handbuch once these fixes are implemented so that it can be updated. Thank you.

[ghost]

if you are strictly looking for the bug side of things then please make wire delete/wipe messages/media and traces on the device when user deletes them in the app (because it doesn't)

on a sidenote, local encryption is useless if the device is compromised (if you want to look into the wider scope)

[dbquarrel]

For the record this above is not a feature request, this is a bug.

If the user deleted a message and wire keeps a copy on the disk: that is a bug.

Wire keeping a cache of unencrypted conversations defeats 50% of the purpose of the app (secure messaging). If your security model is "well we hope the user doesn't have any malware installed, and we hope the user didn't get a password stolen, and we hope the OS doesn't have a zero-day exploit", you have no business considering this a secure platform.

Security based on hope and assumptions is not security.

It's a major design flaw in the one area, and a major bug in the other (deleted things should be deleted).

I don't know why wire devs are so hard headed about these issues. Users are telling you how they need the software to work and you tell the users nah, you don't need that.

[ekkis]

so long as the data is on disk, unencrypted, how can I access it? I made a backup and deleted some stuff... now I've found that the restore is broken but if the above is correct, I should be able to find the data on disk. I'm on OS/X and have looked into the /Users/ekkis/Library/Containers/com.wearezeta.zclient.mac/Data/Library/Application\ Support/Wire directory where I find a databases/Databases.db file I can open with SQL Lite but that is empty and can see the files in the Cache directory, but they're binary. how can I read them?

[Ruchbah]

On the MacOS User/library, when Wire is closed, or deleted, you can see part of your conversations in clear on these files
Wire/Local Storage/leveldb/.ldb
Wire/Local Storage/leveldb/.log
This clearly represents a threat in a situation where if Wire needs to be deleted, that folder won't automatically be deleted so the messages will still be visible to whoever has access to the computer.
Yes, full disk encryption mitigates this but if I am forced to open the computer (it can happen in some countries), those files will be there.