Bugs Found In ‘Secure’ Signal Messaging Service

Researchers have published details of what they said are the first bugs to have been found in the Signal mobile messaging system, whose code is used by Facebook’s WhatsApp to provide secure communications.

The two bugs could allow attackers to corrupt encrypted Signal attachments, effectively making the attachments impossible to download, acknowledged Signal’s developer, Open Whisper Systems.

Security bugs


While the company called the bugs “low severity”, they represent the first vulnerabilities to have been found in Signal.

Jean-Philippe Aumasson, principal research engineer at Kudelski Security, said no Signal bugs have previously been published, something he said indicates the platform’s security.

He and Markus Vervier, chief executive of X41, found the bugs during an informal review of the Android version of Signal, and the issues were quickly addressed by Open Whisper, they said.

“Since two of the bugs for the Java reference implementation of Signal have been publicly fixed after our disclosure, we think we should give a little description about what we found,” they wrote in an advisory.

Attachment corruption

The vulnerabilities allow attackers who have hacked a Signal server to append a minimum of 4GB of pseudorandom data to an encrypted attachment while it is in transit, Open Whisper acknowledged, which causes a denial of service by corrupting the file and making it too large to open on any Android device.

But it added that an attacker who had compromised a server could block attachments in other, easer ways.

Signal, available for Android and iOS, provides encrypted communications and has been recommended by the likes of Edward Snowden.

Under a deal announced in 2014 Facebook uses Signal code to provide an encrypted WhatsApp messaging service that was launched earlier this year.

The researchers said on Thursday that they notified Open Whisper of the problems on Tuesday and that a fix was released the same day.

Encryption controversy

The European Commission this week published controversial draft telecommunications rules that could limit the use of encryption by digital communications services such as Skype and WhatsApp.

The rules would make such services subject to some of the same wiretapping rules currently followed by telecommunications companies.

Services including WhatsApp have introduced end-to-end encryption as a direct result of Snowden’s disclosures of widespread data surveillance by the US government.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Microsoft To Acquire Activision Blizzard For $68.7 Billion

Huge tech acquisition, as software giant seeks major expansion of its gaming credentials with purchase…

8 hours ago

Amazon Sued For Worker Death In Deadly Tornado Strike

Parents sue Amazon for wrongful death, after son was among six workers killed when Amazon…

11 hours ago

Twitter Expands Misleading Tweet Feature

Twitter has expanded its test feature to other countries that allows users to flag or…

11 hours ago

US Airline Bosses Warn Of ‘Catastrophic’ Aviation Crisis Due To 5G

US aviation 5G scare-mongering continues, as CEOs of ten US airlines warn of 'havoc' caused…

12 hours ago

Government Backs Ad Campaign Against End-To-End Encryption

Public funds to used for government-backed advertising campaign against end-to-end encryption, but security experts argue…

14 hours ago

Amazon Last Minute Extension For Visa Card Payments

UK Amazon users can continue using their Visa cards for online shopping for now, after…

16 hours ago