Special Features

Cybersecurity Month

Signal shoots down zero-day rumors, finds 'no evidence' of device takeover

Looks to be related to critical libwebp bug found — and fixed — last month

Signal has denied a "vague viral reports" of a zero-day vulnerability in its Generate Links Previews that could allow device takeover.

In a late Sunday night post on the site formerly known as Twitter, Signal said it conducted a "responsible investigation" and found "no evidence that suggests this vulnerability is real nor has any additional info been shared via our official reporting channels."

"We also checked with people across US Government, since the copy-paste report claimed USG as a source," according to Signal. "Those we spoke to have no info suggesting this is a valid claim."

The rumors started on Sunday with several well-known security researchers and security folk warning about the alleged remote code execution bug.

"Been hearing whispers all weekend, some from people who I'd *definitely* listen to, of a remote execution 0day in the Signal desktop and possibly also mobile app. Mitigation is supposedly to disable link previews (under settings->chats)," said cryptography expert Matt Blaze on Mastodon.

"I have no more details," he opined. "What I've heard doesn't completely make sense, but disabling link previews should be at worst harmless and seems prudent until this is clarified.

After the messaging app refuted the zero-day claim, some including Blaze said it appeared to be related to CVE-2023-4863, a heap buffer overflow in libwebp that affected any software that used the WebP  image library. 

Several web browsers (Google Chrome, Mozilla Firefox, Brave, Tor, and more) along with operating systems (Ubuntu, SUSE, Oracle, and Amazon and other) and applications using Chromium-based Electron including Signal, Telegram and Slack all issued fixes last month.

A Signal spokesperson wouldn't confirm that the rumored bug was related to CVE-2023-4863, but told The Register: "If it is related to CVE-2023-4863, the webp vulnerability, Signal patched that weeks ago and the latest versions of Signal have all been running that patch for some time."

Regardless, it's a good reminder to update software and apps in a timely manner. And, as, several infosec insiders pointed out: to be safe, turn off features that you aren't using. And don't panic.

Huntress senior security researcher John Hammond told The Register that he hasn't seen anything to indicate a Signal security flaw. 

"No research that I'm aware of indicates a Signal vulnerability, there is no CVE and no other details available other than the cryptic copy-paste message," Hammond told us. "At face value it does seem like a strange 'scream test' to see how fast information can travel without validation." ®

Send us news

From chaos to cadence: Celebrating two decades of Microsoft's Patch Tuesday

IT folks look back on 20 years of what is now infosec tradition

US construction giant unearths concrete evidence of cyberattack

Simpson Manufacturing yanks systems offline, warns of ongoing disruption

It's 2023 and Microsoft WordPad can be exploited to hijack vulnerable systems

Happy Halloween! Security bugs under attack squashed, more flaws fixed

Five Eyes intel chiefs warn China's IP theft program now at 'unprecedented' levels

Spies come in from the cold for their first public chinwag

Squid games: 35 security holes still unpatched in proxy after 2 years, now public

We'd like to say don't panic … but maybe?

Cisco zero-day bug allows router hijacking and is being actively exploited

We'd say 'Hurry up and patch' but it hasn't written one yet. While you wait, disable HTTP

Europe mulls open sourcing TETRA emergency services' encryption algorithms

Turns out secrecy doesn't breed security

US Navy sailor admits selling secret military blueprints to China for $15K

Worth it for 20 years behind bars?

Cisco's critical zero-day bug gets even worse – 'thousands' of IOS XE devices pwned

Good news: There's a free scanner to check your kit. Bad news: Still no fix

Casino giant Caesars tells thousands: Yup, ransomware crooks stole your data

House always wins, er, wait ...

Cisco warns of critical flaw in Emergency Responder code

Hard-coded credentials strike again

Casio keyed up after data loss hits customers in 149 countries

Crooks broke into the ClassPad server and swiped online learning database