Signal States It Has No Proof Supporting Reports of a Zero-Day Bug

Reports have been circulating that the encrypted chat app has a bad vulnerability. There’s no evidence to support that, execs state.

Over the weekend, rumors circulated that Signal, one of the most relied on encrypted chat apps online, had a pretty bad zero-day vulnerability. The claims, which have now been all however debunked, promptly caused a panic in the infosec neighborhood.

Security website BleepingComputer reports that “various sources” reached out about the expected bug, with some alleging they ‘d heard it was so bad that it might result in “a full takeover of [impacted] devices.” Regrettably, real details about the bug were little, though one claim taht got repeated often was an expected mitigation strategy: to switch off Signal’s links sneak peek function. This appeared to indicate that the vulnerability had something to do with this function. Another report was that the accusations were coming from individuals who worked for the federal government, which appeared to include legitimacy to the claims.

The whole thing produced significant interest from security specialists on social websites like X and Mastodon, a lot of whom stated they were investigating tjhe claims for themselves.

Nevertheless, according to Signal, the reports are much ado about nothing. The business says that it has examined the bug reports and found nothing to validate them. ON Sunday, Signal’s president, Meredith Whittaker, took to X to release an explicit refutation. “Important PSA for those who received the odd viral report of a vuln in Signal. After investigating: WE HAVE NO EVIDENCE THAT THE REPORT IS REAL,” Whittaker tweeted.

Following Signal’s response, some security pros slammed the hysteria that caused the claims going viral. “Really dissatisfied with the quantity of otherwise wise infosec individuals who shared the signal 0day copypasta this weekend without examining at all or validating it,” tweeted Cooper Quinton, a scientist with the Electronic Frontier Foundation. “We are not immune to disinformation attacks and this weekend was a sensational example of that.”

It’s true that the commercial monitoring industry is filled iwth for-hire hackers who troll for security weak points in widely utilized platforms– particularly messengers. In truth, an entire zero-day market for messengers exists and, earlier this month, a report from TechCrunch showed that such vulnerabilities are worth as much as $8 million to the best purchaser. If one existed for Signal– an extensively trusted personal privacy app– it would certainly be worth quite a great deal of cash.