Bugs Found In ‘Secure’ Signal Messaging Service

Researchers have published details of what they said are the first bugs to have been found in the Signal mobile messaging system, whose code is used by Facebook’s WhatsApp to provide secure communications.

The two bugs could allow attackers to corrupt encrypted Signal attachments, effectively making the attachments impossible to download, acknowledged Signal’s developer, Open Whisper Systems.

Security bugs

While the company called the bugs “low severity”, they represent the first vulnerabilities to have been found in Signal.

Jean-Philippe Aumasson, principal research engineer at Kudelski Security, said no Signal bugs have previously been published, something he said indicates the platform’s security.

He and Markus Vervier, chief executive of X41, found the bugs during an informal review of the Android version of Signal, and the issues were quickly addressed by Open Whisper, they said.

“Since two of the bugs for the Java reference implementation of Signal have been publicly fixed after our disclosure, we think we should give a little description about what we found,” they wrote in an advisory.

Attachment corruption

The vulnerabilities allow attackers who have hacked a Signal server to append a minimum of 4GB of pseudorandom data to an encrypted attachment while it is in transit, Open Whisper acknowledged, which causes a denial of service by corrupting the file and making it too large to open on any Android device.

But it added that an attacker who had compromised a server could block attachments in other, easer ways.

Signal, available for Android and iOS, provides encrypted communications and has been recommended by the likes of Edward Snowden.

Under a deal announced in 2014 Facebook uses Signal code to provide an encrypted WhatsApp messaging service that was launched earlier this year.

The researchers said on Thursday that they notified Open Whisper of the problems on Tuesday and that a fix was released the same day.

Encryption controversy

The European Commission this week published controversial draft telecommunications rules that could limit the use of encryption by digital communications services such as Skype and WhatsApp.

The rules would make such services subject to some of the same wiretapping rules currently followed by telecommunications companies.

Services including WhatsApp have introduced end-to-end encryption as a direct result of Snowden’s disclosures of widespread data surveillance by the US government.

Are you a security pro? Try our quiz!