Signal denies rumors of zero-day bug


After rumors about an alleged zero-day security vulnerability spread online over the weekend, Signal, the privacy-oriented messenger, has declared it’s found no evidence that the threat is real.

According to various accounts online, the supposed vulnerability was related to the “Generate Links Previews” feature and allowed for a full takeover of devices.

However, Signal has now released a statement on X – formerly known as Twitter – saying that it has completed a thorough investigation and found no evidence that the flaw was real.

"PSA (public service announcement): we have seen the vague viral reports alleging a Signal 0-day vulnerability. After a responsible investigation, we have no evidence that suggests this vulnerability is real – nor has any additional info been shared via our official reporting channels,” Signal wrote.

"We also checked with people across the US government, since the copy-paste report claimed USG as a source. Those we spoke to have no info suggesting this is a valid claim."

Rumors of the alleged zero-day spread online and among the cybersecurity community Saturday afternoon. The vulnerability could allegedly be mitigated by disabling the “Generate Link Previews” setting in Signal.

A zero-day vulnerability is a bug in a system or device that has been disclosed but is not yet patched. A vulnerability of this kind poses a higher risk to users and can cause millions of dollars in damage because cybercriminals usually rush to exploit it while it’s still exposed.

Novel zero-day vulnerabilities are discovered every year. According to Google’s Project Zero, which tracks new zero-day problems at major software vendors, around 50 such issues have already been discovered in the nine and a half months of 2023 – more than in the whole year of 2022.

Signal recently announced an upgrade to its cryptographic specifications so it can withstand a potential future cyberattack by a threat actor using quantum computers.

In 2022, OpZero, the shady Russian zero-day exploit broker, raised many eyebrows when it increased its price for Signal RCE (remote code execution) exploits so much (to $1.5M) that it exceeded the money on offer by a much better-known company, Zerodium, by a factor of three.