The team behind the Signal messaging app has refuted the claims about a zero-day vulnerability in its communications platform, saying there’s no evidence such a problem exists.
Signal is a widely used and trusted messaging with robust end-to-end encryption, emphasizing user privacy and data security. A zero-day vulnerability in the app or underlying services would severely shake users’ trust in the platform and potentially compromise massive amounts of sensitive communications data.
A zero-day flaw is an actively exploited security problem for which there’s no available fix. Typically, this occurs when hackers find a way to leverage a security gap without the vendor knowing about it. If the exploitation isn’t too noisy, the hackers may continue using the flaw for extended periods.
The rumors about an unknown vulnerability impacting Signal started when certain users on X, including @gaughen, posted about it, claiming that he had received a tip on its existence. Other sources pointed to U.S. Cyber Command as being the original source of the zero-day without providing any evidence.
Gaughen’s post on X claimed that the vulnerability related to the ‘Generate link previews’ feature, accessible through Settings → Chat, suggesting that everyone disables it to prevent becoming a victim. However, no further details about the alleged flaw, or other information about its exploitation were provided in that post.
Signal says claims unfounded
In a public service announcement published on X earlier today, Signal informed its userbase that after investigating the unfounded claims, it has found no actual information or evidence proving the existence of a zero-day relating to ‘Generate link previews.’
The platform also contacted people from USCYBERCOM, which was rumored to have more info on the subject, and received assurances that the agency holds no such info. Signal’s president, Meredith Whittaker, even went as far as characterizing the report as a typical example of a disinformation campaign, being purposefully vague while carrying enough clues to go viral.
Today, Gaughen deleted his original tweet about the zero-day vulnerability and posted an apology to his followers, saying that “the information he had been given earlier was false,” and there’s no zero-day on Signal relating to link previews.
Nonetheless, the report has caused a stir among Signal users, with many deactivating the feature as a “just in case” precaution. Additionally, many find it hard to trust USCYBERCOM’s assurances as they see no incentive for the agency to admit the existence of a zero-day vulnerability in Signal the U.S. government could use for surveillance.
To avoid spreading FUD, we should underline that, at this time, there’s no concrete evidence that the reports for a zero-day vulnerability on Signal are anything but false. As a general rule, we suggest disabling features you don’t actively use or need on software and online platforms, as these can lead to data breaches. That said, if you can live without link previews, you may want to turn off the feature on Signal.