Bugs Found In ‘Secure’ Signal Messaging Service

Researchers have published details of what they said are the first bugs to have been found in the Signal mobile messaging system, whose code is used by Facebook’s WhatsApp to provide secure communications.

The two bugs could allow attackers to corrupt encrypted Signal attachments, effectively making the attachments impossible to download, acknowledged Signal’s developer, Open Whisper Systems.

Security bugs


While the company called the bugs “low severity”, they represent the first vulnerabilities to have been found in Signal.

Jean-Philippe Aumasson, principal research engineer at Kudelski Security, said no Signal bugs have previously been published, something he said indicates the platform’s security.

He and Markus Vervier, chief executive of X41, found the bugs during an informal review of the Android version of Signal, and the issues were quickly addressed by Open Whisper, they said.

“Since two of the bugs for the Java reference implementation of Signal have been publicly fixed after our disclosure, we think we should give a little description about what we found,” they wrote in an advisory.

Attachment corruption

The vulnerabilities allow attackers who have hacked a Signal server to append a minimum of 4GB of pseudorandom data to an encrypted attachment while it is in transit, Open Whisper acknowledged, which causes a denial of service by corrupting the file and making it too large to open on any Android device.

But it added that an attacker who had compromised a server could block attachments in other, easer ways.

Signal, available for Android and iOS, provides encrypted communications and has been recommended by the likes of Edward Snowden.

Under a deal announced in 2014 Facebook uses Signal code to provide an encrypted WhatsApp messaging service that was launched earlier this year.

The researchers said on Thursday that they notified Open Whisper of the problems on Tuesday and that a fix was released the same day.

Encryption controversy

The European Commission this week published controversial draft telecommunications rules that could limit the use of encryption by digital communications services such as Skype and WhatsApp.

The rules would make such services subject to some of the same wiretapping rules currently followed by telecommunications companies.

Services including WhatsApp have introduced end-to-end encryption as a direct result of Snowden’s disclosures of widespread data surveillance by the US government.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK Government Partners Anthropic AI To Improve Public Services

Anthropic confirms Memorandum of Understanding (MOU) signed with UK government to explore use of AI…

1 day ago

ARM Shares Rise Amid Report Meta Will Purchase Its First Chip

British chip designer ARM Holdings is reportedly developing its own chip, and Meta is one…

1 day ago

TikTok Returns To Apple, Google Stores In US

TikTok returns to app stores of both Apple and Google in the United States, after…

1 day ago

Meta To Show Marketplace Ads From Rival Ad Providers

After huge fine, Meta launches 'Facebook Marketplace Partner Program' so rival service providers can list…

2 days ago

Improved Indoor Connectivity Could Add Billions To UK Economy – Survey

New research from Freshwave finds a better mobile signal indoors could grow the UK economy…

2 days ago

Musk Says He Will Withdraw OpenAI Bid If It Remains Non-Profit

Elon Musk says he will abandon $97.4 billion offer to buy the non-profit behind OpenAI…

2 days ago