Signal Denies Rumors of Zero-day Vulnerability Bug

Yesterday, rumors circulated about a discovered zero-day exploit in the popular encrypted messaging app Signal that allegedly gives full access to a user's device. Understandably, this sparked fear among Signal users who rely on the app's strong encryption and privacy features.

However, today Signal conducted an investigation into the claims and found no evidence to support the existence of such a vulnerability. 

In a Twitter post, Signal stated: 

"PSA: we have seen the vague viral reports alleging a Signal 0-day vulnerability."

"After responsible investigation, we have no evidence that suggests this vulnerability is real nor has any additional info been shared via our official reporting channels."

Signal also checked with contacts in the US government, since the original viral report claimed the USG as its source. But the government also had no knowledge of the alleged vulnerability. - according to the Signal tweet.

Rumors of the alleged zero-day spread online and among the cybersecurity community via different social media platforms like X (former Twitter), Mastodon [1, 2], Reddit, and Linkedin.  

On LinkedIn, a post from Mike Saylo, CEO - of Blackswan Cybersecurity posted about the vulnerability in Signal App with the following statement -

Mike Saylo's post on LinkedIn

Signal Mobile App

A zero day exploit for signal was discovered that gives access to your full device.  To close the vulnerability, have everyone go to setting under your profile in signal> chats> deselect “generate link preview”. Also make sure your signal app is up to date.

Nikoloz K. comments on Saylo's post

There were many discussions in the post regarding the issue, one user pointed out that the vulnerability could be WebP 0day, a heap buffer overflow (CVE-2023-4863), which Signal patched a few weeks ago. This is because Saylo mentioned deselecting “generate link preview” to mitigate the issue. 

With over 50 zero-days already discovered in major software products so far in 2023, security vulnerabilities are certainly a real concern. However, in this case, Signal appears to have thoroughly investigated and found no merit to the rumors.

While no software is ever 100% secure, Signal has a strong track record in security and transparency around vulnerabilities. So it seems this alleged zero-day exploit is just an unsubstantiated rumor. Signal users can continue using the app safely, but as always should update to the latest version and practice good security habits online.

This episode is a reminder that not every viral cybersecurity claim is true. While software bugs exist, we should verify claims from reputable sources before panicking or changing our digital lives. Signal's prompt and transparent response to investigate and address the rumor should give users continued confidence in the app's security.