Signal Refutes Claim of Alleged Zero-Day Vulnerability

Signal, an encrypted messaging service denied claims about a possible zero-day flaw that could impact the security and privacy of its users.

The rumors, which started circulating over the weekend, warned users to turn off link previews on Signal. Thus, relating the security flaw to the ‘Generate Link Preview’ feature of the app. However, post investigation, the company confirmed that it found no evidence supporting this unverified claim.

It released a statement on X (formerly Twitter) about its investigation and the lack of evidence regarding the rumor about the claimed vulnerability in the software. It also advised users with any genuine knowledge about the flaw to contact their security team via security@signal.org.

‘’PSA: we have seen the vague viral reports alleging a Signal 0-day vulnerability. After responsible investigation, we have no evidence that suggests this vulnerability is real nor has any additional info been shared via our official reporting channels,’’ the statement on X read.

The company also tweeted that it had verified these claims with US government officials, cited as a source for this alleged vulnerability report.

‘’We also checked with people across the US Government, since the copy-paste report claimed USG as a source. Those we spoke to have no info suggesting this is a valid claim,’’ Signal stated.

The rumor which originated from an unverified source claimed that the flaw can grant unrestricted access to the app users’ device. Thus, allowing threat actors to deploy malware and extract personal information of the target for committing financial frauds or espionage campaigns.

The possibility of threat actors exploiting this vulnerability led to a widespread concern among the cybersecurity community, resulting in an outpouring of advice to disable the ‘Generate Link’ feature or update the app.

Launched in the beginning of 2018, Signal messaging platform is said to have more than 40 million users.