Over the weekend, rumors circulated that Signal, one of the most trusted encrypted chat apps on the web, had a pretty bad zero-day vulnerability. The claims, which have now been all but debunked, swiftly caused a panic in the infosec community.
Security site BleepingComputer reports that “numerous sources” reached out about the supposed bug, with some alleging they’d heard it was so bad that it could lead to “a full takeover of [impacted] devices.” Unfortunately, actual details about the bug were scant, though one claim that got repeated often was a supposed mitigation technique: to turn off Signal’s links preview feature. This seemed to indicate that the vulnerability had something to do with this feature. Another rumor was that the allegations were coming from people who worked for the federal government, which seemed to add legitimacy to the claims.
The whole thing generated significant interest from security professionals on social sites like X and Mastodon, many of whom said they were investigating the claims for themselves.
However, according to Signal, the reports are much ado about nothing. The company says that it has investigated the bug rumors and found nothing to substantiate them. On Sunday, Signal’s president, Meredith Whittaker, took to X to issue an explicit refutation. “Important PSA for those who received the odd viral report of a vuln in Signal. After investigating: WE HAVE NO EVIDENCE THAT THE REPORT IS REAL,” Whittaker tweeted.
Following Signal’s response, some security pros criticized the hysteria that led to the claims going viral. “Really disappointed with the amount of otherwise smart infosec people who shared the signal 0day copypasta this weekend without investigating at all or confirming it,” tweeted Cooper Quinton, a researcher with the Electronic Frontier Foundation. “We are not immune to disinformation attacks and this weekend was a stunning example of that.”
It’s true that the commercial surveillance industry is filled with for-hire hackers who troll for security weaknesses in widely used platforms—especially messengers. In fact, an entire zero-day market for messengers exists and, earlier this month, a report from TechCrunch showed that such vulnerabilities are worth as much as $8 million to the right buyer. If one existed for Signal—a widely trusted privacy app—it would undoubtedly be worth quite a lot of money.
Although Signal has said it has no evidence of a bug, it still seems to be interested in any evidence that the vulnerability is real and has suggested that anyone with relevant information reach out to them at security@signal.org.