secuvera-SA-2022-01: Windows Wire message reading after deletion Affected Products Windows version of Wire Version 3.22.3993 (older releases have not been tested) References https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt CVE-2022-43673 Summary: Wire is described by the manufacturer as the most secure collaboration platform, which keeps the user information private. The Wire chat messenger offers a user the possibility to delete sent messages or send self-deleting messages. By using this features a user is able to delete messages in the wire chat or send a message which deletes itself after an amount of time. Chat participants are not able to the read the deleted chat message afterwards. (see https://support.wire.com/hc/en-us/articles/210744649-Delete-a-message, https://support.wire.com/hc/en-us/articles/213216845-Send-a-self-deleting-message and https://wireapp.medium.com/safe-and-tidy-with-timed-messages%EF%B8%8F-4f26ff17b11b#.xco9e7rg5) Further Wire creates a log file in "AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb", in which messages are stored. Effect: Wire chat messages are stored in the log file in appdata. After the deletion in chat, stored messages are still readable for a limited period of time, because they are not deleted in the logfile until they are transferred to the database. Examples: By using the following powershell script, wire chat messages are displayed, even if they are deleted, but not transferred to the database. $logpath = $env:APPDATA + '\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb' $logfile = Get-ChildItem $logpath | where name -like "*.log" | Select -ExpandProperty name $file = "$logpath\$logfile" Write-Output "Looking for messages in $file" $messages = Get-Content -Raw $file $pattern='status_"(.*)mentionsA' [regex]::Matches($messages, $pattern).Value Disclosure Timeline: 2022/05/11 vendor initially contacted with all details 2022/05/17 contacted vendor again and received an answer that the vendor was investigating how to improve this situation 2022/07/11 contacted vendor again after no answer was received 2022/07/12 vendor replied that there will be no change in the method of storing messages in Wire 2022/10/17 requested CVE identifier 2022/11/17 vendor is notified that the advisory will be published 2022/11/17 public disclosure Credits: Kai Dybionka kdybionka@secuvera.de secuvera GmbH https://www.secuvera.de Disclaimer: All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore secuvera shall not be liable for any direct or indirect damages that might be caused by using this information.