Bugs Found In ‘Secure’ Signal Messaging Service

Researchers have published details of what they said are the first bugs to have been found in the Signal mobile messaging system, whose code is used by Facebook’s WhatsApp to provide secure communications.

The two bugs could allow attackers to corrupt encrypted Signal attachments, effectively making the attachments impossible to download, acknowledged Signal’s developer, Open Whisper Systems.

Security bugs


While the company called the bugs “low severity”, they represent the first vulnerabilities to have been found in Signal.

Jean-Philippe Aumasson, principal research engineer at Kudelski Security, said no Signal bugs have previously been published, something he said indicates the platform’s security.

He and Markus Vervier, chief executive of X41, found the bugs during an informal review of the Android version of Signal, and the issues were quickly addressed by Open Whisper, they said.

“Since two of the bugs for the Java reference implementation of Signal have been publicly fixed after our disclosure, we think we should give a little description about what we found,” they wrote in an advisory.

Attachment corruption

The vulnerabilities allow attackers who have hacked a Signal server to append a minimum of 4GB of pseudorandom data to an encrypted attachment while it is in transit, Open Whisper acknowledged, which causes a denial of service by corrupting the file and making it too large to open on any Android device.

But it added that an attacker who had compromised a server could block attachments in other, easer ways.

Signal, available for Android and iOS, provides encrypted communications and has been recommended by the likes of Edward Snowden.

Under a deal announced in 2014 Facebook uses Signal code to provide an encrypted WhatsApp messaging service that was launched earlier this year.

The researchers said on Thursday that they notified Open Whisper of the problems on Tuesday and that a fix was released the same day.

Encryption controversy

The European Commission this week published controversial draft telecommunications rules that could limit the use of encryption by digital communications services such as Skype and WhatsApp.

The rules would make such services subject to some of the same wiretapping rules currently followed by telecommunications companies.

Services including WhatsApp have introduced end-to-end encryption as a direct result of Snowden’s disclosures of widespread data surveillance by the US government.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Is the Digital Transformation of Businesses Complete?

Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…

18 hours ago

Craig Wright Faces Contempt Claim Over Bitcoin Lawsuit

Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…

19 hours ago

OpenAI Adds ChatGPT Search Features

OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…

19 hours ago

Google Maps Steers Into Local Information With AI Chat

New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…

20 hours ago

Huawei Sees Sales Surge, But Profits Fall

US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…

20 hours ago

Apple Posts China Sales Decline, Ramping Pressure On AI Strategy

Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…

21 hours ago