Signal Says Reports of a Zero-Day Bug Are False

Signal Says Reports of a Zero-Day Bug Are False

Over the weekend, rumours circulated that Signal, one of the most trusted encrypted chat apps on the web, had a pretty bad zero-day vulnerability. The claims, which have now been all but debunked, swiftly caused a panic in the infosec community.

Security site BleepingComputer reports that “numerous sources” reached out about the supposed bug, with some alleging they’d heard it was so bad that it could lead to “a full takeover of [impacted] devices.” Unfortunately, actual details about the bug were scant, though one claim that got repeated often was a supposed mitigation technique: to turn off Signal’s links preview feature. This seemed to indicate that the vulnerability had something to do with this feature. Another rumour was that the allegations were coming from people who worked for the federal government, which seemed to add legitimacy to the claims.

The whole thing generated significant interest from security professionals on social sites like X and Mastodon, many of whom said they were investigating the claims for themselves.

However, according to Signal, the reports are much ado about nothing. The company says that it has investigated the bug rumours and found nothing to substantiate them. On Sunday, Signal’s president, Meredith Whittaker, took to X to issue an explicit refutation. “Important PSA for those who received the odd viral report of a vuln in Signal. After investigating: WE HAVE NO EVIDENCE THAT THE REPORT IS REAL,” Whittaker tweeted.

Following Signal’s response, some security pros criticised the hysteria that led to the claims going viral. “Really disappointed with the amount of otherwise smart infosec people who shared the signal 0day copypasta this weekend without investigating at all or confirming it,” tweeted Cooper Quinton, a researcher with the Electronic Frontier Foundation. “We are not immune to disinformation attacks and this weekend was a stunning example of that.”

It’s true that the commercial surveillance industry is filled with for-hire hackers who troll for security weaknesses in widely used platforms—especially messengers. In fact, an entire zero-day market for messengers exists and, earlier this month, a report from TechCrunch showed that such vulnerabilities are worth as much as $US8 million to the right buyer. If one existed for Signal—a widely trusted privacy app—it would undoubtedly be worth quite a lot of money.

Although Signal has said it has no evidence of a bug, it still seems to be interested in any evidence that the vulnerability is real and has suggested that anyone with relevant information reach out to them at

The Cheapest NBN 50 Plans

It’s the most popular NBN speed in Australia for a reason. Here are the cheapest plans available.

At Gizmodo, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.