Signal messenger has investigated rumors spreading online over the weekend of a zero-day security vulnerability related to the ‘Generate Link Previews’ feature, stating that there is no evidence this vulnerability is real.
This statement comes after numerous sources told BleepingComputer and reported on Twitter that a new zero-day vulnerability allowed for a full takeover of devices.
After contacting Signal about the zero-day last night, they released a statement on Twitter stating that they have investigated the rumors and have found no evidence that this flaw is real.
“PSA: we have seen the vague viral reports alleging a Signal 0-day vulnerability, reads a statement on Twitter.
“After responsible investigation *we have no evidence that suggests this vulnerability is real* nor has any additional info been shared via our official reporting channels.”
“We also checked with people across US Government, since the copy-paste report claimed USG as a source. Those we spoke to have no info suggesting this is a valid claim,”
Citing US government sources, news of the alleged zero-day quickly spread online and among the cybersecurity community Saturday afternoon.
These unnamed USG sources said that the vulnerability could be mitigated by disabling the ‘Generate Link Previews’ setting in Signal.
However, BleepingComputer could not confirm the validity of these statements, even though we heard it from numerous people claiming the same sources.
While Signal has stated that they have no evidence of a new zero-day, they still request that those with new and “real” info contact their security team.
As this is an ongoing investigation, and the mitigation is to simply disable the Link Previews feature, users may want to turn this setting off for the time being until it’s fully confirmed not to be real.
Source: www.bleepingcomputer.com