Signal shoots down zero-day rumors, finds 'no evidence' of device takeover

Signal has denied a "vague viral reports" of a zero-day vulnerability in its Generate Links Previews that could allow device takeover.

In a late Sunday night post on the site formerly known as Twitter, Signal said it conducted a "responsible investigation" and found "no evidence that suggests this vulnerability is real nor has any additional info been shared via our official reporting channels."

PSA: we have seen the vague viral reports alleging a Signal 0-day vulnerability.After responsible investigation *we have no evidence that suggests this vulnerability is real* nor has any additional info been shared via our official reporting channels.

— Signal (@signalapp) October 16, 2023

"We also checked with people across US Government, since the copy-paste report claimed USG as a source," according to Signal. "Those we spoke to have no info suggesting this is a valid claim."

The rumors started on Sunday with several well-known security researchers and security folk warning about the alleged remote code execution bug.

"Been hearing whispers all weekend, some from people who I'd *definitely* listen to, of a remote execution 0day in the Signal desktop and possibly also mobile app. Mitigation is supposedly to disable link previews (under settings->chats)," said cryptography expert Matt Blaze on Mastodon.

"I have no more details," he opined. "What I've heard doesn't completely make sense, but disabling link previews should be at worst harmless and seems prudent until this is clarified.

After the messaging app refuted the zero-day claim, some including Blaze said it appeared to be related to CVE-2023-4863, a heap buffer overflow in libwebp that affected any software that used the WebP  image library. 

Several web browsers (Google Chrome, Mozilla Firefox, Brave, Tor, and more) along with operating systems (Ubuntu, SUSE, Oracle, and Amazon and other) and applications using Chromium-based Electron including Signal, Telegram and Slack all issued fixes last month.

• Signal adopts new alphabet jumble to protect chats from quantum computers
• Chrome, Firefox and more caught with their WebP down, offer hasty patch-up
• It's 2023 and Microsoft WordPad can be exploited to hijack vulnerable systems
• Another security update, Apple? You're really keeping up with your tech rivals

A Signal spokesperson wouldn't confirm that the rumored bug was related to CVE-2023-4863, but told The Register: "If it is related to CVE-2023-4863, the webp vulnerability, Signal patched that weeks ago and the latest versions of Signal have all been running that patch for some time."

Regardless, it's a good reminder to update software and apps in a timely manner. And, as, several infosec insiders pointed out: to be safe, turn off features that you aren't using. And don't panic.

Huntress senior security researcher John Hammond told The Register that he hasn't seen anything to indicate a Signal security flaw. 

"No research that I'm aware of indicates a Signal vulnerability, there is no CVE and no other details available other than the cryptic copy-paste message," Hammond told us. "At face value it does seem like a strange 'scream test' to see how fast information can travel without validation." ®