Signal says there’s “no evidence” of device-hijacking flaw

Signal has been forced to deny rumours sweeping social media that its messaging software was suffering from a serious zero-day vulnerability.

Reports spread on social media over the weekend that a flaw in the way the app generated link previews would allow attackers to take control of devices. Signal users were advised to switch off the link previews in the app’s settings to mitigate the alleged flaw.

This morning, the company has taken the unusual step of denying that the flaw exists on its own X (formerly Twitter) account.

“We have seen the vague viral reports alleging a Signal 0-day vulnerability,” the company tweeted. “After responsible investigation we have no evidence that suggests this vulnerability is real nor has any additional info been shared via our official reporting channels.”

A follow-up tweet stated: “We also checked with people across US Government, since the copy-paste report claimed USG as a source. Those we spoke to have no info suggesting this is a valid claim. We take reports to [email protected] very seriously, and invite those with real info to share it there.”

Signal’s president, Meredith Whittaker, went even further, suggesting the rumours were part of an orchestrated campaign. “WE HAVE NO EVIDENCE THAT THE REPORT IS REAL,” she tweeted. “Pls share with anyone who passed you this info. The vague and viral form of the report has the hallmarks of a disinfo campaign.”

Signal has been one of the biggest critics of the UK Government’s plans to clamp down on end-to-end encryption, as part of the recently passed Online Safety Bill. In addition, Whittaker has posted tweets in the past week that appear to be critical of Israel’s recent actions in Gaza. To be clear, we’ve seen no evidence of any link between the Signal “disinfo” and the company’s/CEO’s public statements.