Rumors circulated over the weekend that Signal, one of the The most trusted encrypted chat apps on the Internet had a pretty bad zero-day vulnerability. The claims, now largely debunked, quickly caused panic in the infosec community.
Security page BleepingComputer Reports that “numerous sources” were knowledgeable about the alleged bug, with some claiming they had heard it was so bad that it could lead to “a full takeover of.” [impacted] Devices.” Unfortunately, there were few actual details about the bug, although one claim was often repeated a supposed damage control technique: to turn off the signals Preview the links Special feature. This seemed to indicate that the vulnerability had something to do with this feature. Another rumor said that the allegations came by people who worked for the federal government, which appeared to lend legitimacy to the claims.
The whole thing was generated considerable interest from security experts on social sites like X and Mastodon, many of whom said they were investigating the claims themselves.
However, according to Signal, the reports are much ado about nothing. The company says it investigated the bug rumors and found nothing to substantiate them. On Sunday, Signal President Meredith Whittaker reached out to X to offer an explicit rebuttal. “Important PSA for those who received the strange viral report of a vulnerability in Signal. After the investigation: We have no evidence that the report is genuine,” Whittaker said tweeted.
Following Signal’s response, some security experts criticized the hysteria that caused the claims to go viral. “Really disappointed with the amount of otherwise smart infosec people who shared the Signal 0day copypasta this weekend without even investigating or confirming it.” tweeted Cooper Quinton, researcher at the Electronic Frontier Foundation. “We are not immune to disinformation attacks and this weekend was a striking example of that.”
It’s true that there are many in the commercial surveillance industry hired hackers who troll for security vulnerabilities in widely used platforms – especially messengers. Actually a whole Zero-day market for Messenger exists and a report from TechCrunch earlier this month showed that Such vulnerabilities are worth up to $8 million to the right buyer. If there was one for Signal – a widely trusted privacy app – it would undoubtedly be worth a lot of money.
Although Signal has stated that there is no evidence of a flaw, the company still seems interested in evidence that the vulnerability is real and has suggested that anyone with relevant information contact email@example.com.