Skip to content

Deleted yet not gone: Signal stores messages longer than expected

(Image: Melnikov Dmitriy / Shutterstock.com). Depending on how intensively users operate the messenger, it can take days before a deleted message is actually removed. Signal ignored the bug for six months. The encrypted messenger Signal does not handle the removal of deleted messages as thoroughly as expected, security researcher Harry Sintonen has discovered. He reported the problem to the responsible contacts but received no response for six months. Now he is going public.

The Signal app uses an encrypted SQLite database to store all messages. It buffers transactions, including scheduled deletions, in a so-called Write-Ahead Log, which is processed at certain times. When a user deletes a message in the Signal app (or uses its “disappearing messages” feature), the corresponding database entry is hidden from the app and marked for deletion in the Write-Ahead Log. According to Sintonen, it can take days—or even weeks for rarely-used Signal instances—before this deletion is executed and the message disappears from the device.

The encrypted SQLite database is simply a file. If the user regularly backs up Signal app data, for example via hourly backups with Apple’s Time Machine, database files containing actually-deleted messages can end up in a backup and remain there indefinitely. At least they are not stored in plaintext: the SQLcipher database of the Signal app is encrypted. An attacker wanting to read messages would have to crack this encryption or extract the keys from the user. This is conceivable via an infostealer, as Signal offers desktop apps for Linux, Windows and macOS.

Risk usually not very high. For users who use Signal quite intensively, the risk is low that deleted messages linger on the device for a long time. This is because the Write Ahead Log is processed and cleared once a certain size is reached. Those who want to be sure that the deleted message is gone immediately can simply restart the app—this also processes the Write Ahead Log.

Possible attacks and data breaches are likely to be limited to the more open desktop operating systems—their users should ensure that sensitive messages do not accidentally end up in a Time Machine backup. Those who want to be extra safe simply keep the Signal app off the desktop computer and use it only on a smartphone.

Signal team ignores researcher. The publication was preceded by a six-month waiting period. Sintonen first contacted Signal’s security team in November 2025 but received no response. Contact attempts in April also went unanswered. After Signal remained inactive for 180 days, the security researcher decided to publish the vulnerability in an advisory [1]. It also contains a “proof of concept” with which one can verify the problem oneself. A quirky detail: the example message “KENSENTME” will be familiar to fans of Sierra’s graphic adventures from the eighties.

When Leisure Suit Larry used the password “Ken sent me” in 1987 to get into the back room of a tavern, encrypted messengers were not yet a thing.

The messenger Signal is currently the target of large-scale phishing campaigns, which have affected, among others, German federal politicians. The “Signal affair [2]”, however, was not triggered by security vulnerabilities in the app, but by skilful fraud against the victims. Signal is now implementing countermeasures [3].

(cku [5]). URL of this article:

https://www.heise.de/-11304561

Links in this article:

https://sintonen.fi/advisories/signal-deleted-but-not-forgotten.txt

https://www.heise.de/news/Signal-Affaere-Angriffe-halten-an-Bundesanwaltschaft-ermittelt-11272101.html

https://www.heise.de/news/Signal-will-per-Warnhinweis-vor-Phishing-warnen-11288331.html

heise security PRO

mailto:cku@heise.de

Copyright © 2026 Heise Medien

heise security News

Share on: