Privacy-focused messaging firm Signal is pouring cold water on widespread rumors of a zero-day exploit in its popular encrypted chat app.
“We have seen the vague viral reports alleging a Signal 0-day vulnerability. After responsible investigation *we have no evidence that suggests this vulnerability is real* nor has any additional info been shared via our official reporting channels,” Signal said late Sunday night.
Rumors of a Signal zero-day started circulating over the weekend with what appears to be a copy-pasted warning the “generate link preview” feature could be exploited to take full control of devices.
“To close the vulnerability, have everyone go to settings under your profile in signal> chats> deselect “generate link preview”. Also make sure your signal app is up to date,” according to the cryptic note.
The original source for the zero-day warning is unknown but Signal said it checked with its contacts across the US Government, since the copy-paste report claimed USG as a source. “Those we spoke to have no info suggesting this is a valid claim,” the company said on X, the social media site previously known as Twitter.
The feature, on by default on some Signal installations, displays a short summary and preview image of a URL being sent but experts have long warned that it provides attack surface to leak IP addresses, expose links sent in end-to-end encrypted chats, and unnecessarily downloading gigabytes of data quietly in the background.
Interestingly, Apple’s optional LockDown Mode disables the iMessage link preview feature in response to malicious targeting by surveillance spyware vendors.