Encrypted messaging service Signal is debunking rumors that the app suffers from a serious vulnerability that opens users to attack.
After reports about the threat circulated over the weekend, sparking panic, Signal today tried to dispel allegations about a zero-day vulnerability.
"PSA: we have seen the vague viral reports alleging a Signal 0-day vulnerability," Signal tweeted. “After responsible investigation we have no evidence that suggests this vulnerability is real nor has any additional info been shared via our official reporting channels.”
Indeed, no one has uncovered any hard evidence about the flaw. The rumors seem to have come from several accounts on LinkedIn, Twitter, and Mastodon that warn about the alleged flaw but don't provide any documentation about it, including how it was discovered.
According to the rumors, the zero-day vulnerability can leverage Signal’s ability to preview a shared link to launch the attack. “To close the vulnerability, have everyone go to setting under your profile in signal> chats> deselect ‘generate link preview,’” Mike Saylor, CEO at Blackswan Cybersecurity, wrote on LinkedIn. "Also make sure your signal app is up to date.”
The rumors claim the US government has information about the flaw. However, Signal says it “checked with people across US Government” to verify the findings, but “those we spoke to have no info suggesting this is a valid claim.”
Still, if the flaw is real, Signal is hoping details about the vulnerability are shared to the group’s email at [email protected], so that it can be patched.
Security researcher Matt Blaze said he also heard rumors about the flaw affecting Signal’s desktop service and possibly its app. He’s since said the rumors may refer to a
Read more on pcmag.com