Signal messenger has investigated rumors spreading online over the weekend of a zero-day security vulnerability related to the ‘Generate Link Previews’ feature, stating that there is no evidence this vulnerability is real.
Link preview is only generated if the link is copied and pasted and the preview is generated locally. I can’t see how this can be exploited and also didn’t hear about an RCE
I don’t know if this rumor is true but conceptually if someone had link previews enabled and the link preview was a malicious image designed as the start of an exploit chain then it could be an attack vector.
This why iMessage link previews are disabled in lockdown mode for Apple devices.
In general I’d recommend against link preview regardless of any rumors in order to reduce attack surface (threat model dependent of course).
True, but I would imagine that would be the case for any image sent via Signal, I don’t know why link previews specifically would be affected. I agree there’s no reason to not disable every feature you don’t need though, to reduce your attack surface.
Why would signal want to lie about having vulnerabilities in their app, system, protocol, etc. That’s what the real question here is in my opinion.
That depends on the origins of the vulnerability.
- This vulnerability could’ve originated from Signal themselves, at behest of Governments (no secret that encryption is under threat). The USG was cited as a source of the vulnerability. It wouldn’t surprise me if they consulted with the USG for permission to plug the vulnerability. The USG said “no”, and now they’re trying to save face, “No vulnerability here… we couldn’t find anything”.
- Alternatively this is a big issue, they can’t just quickly patch out. Something that would take a long time to fix. In this case they’re saying they couldn’t find any issues to try to buy time. Kicking the can down the road, hoping this exploit is not discovered in the wild.
Either way, until this gets sorted out, we have potential fix.
DISABLE LINK PREVIEWS
Settings > Chats > Generate link previews
Several chat services have had similar issues, caused by link previews. This should, in my opinion be standard practice.
I’m still trying to figure out what kind of vulnerability link previews on Signal could even have, they’re done locally on the sender’s device and basically just sent as an attached image
The whole rumor doesn’t make a lot of sense to me personally, but definitely disable link previews if it makes you feel better.
I’m not sure how it works in Signal, but links previews have been known to cause issues in other chat services:
I would be trusting Signal here. No one who parroted this supposed vulnerability can seem to actually explain how it works exactly, and their accusations contradict how the Signal app itself works in the first place. Signal also has no conceivable reason to lie about potential vulnerabilities. It would absolutely kill them if they were shown to have lied about vulnerabilities.
Agreed. This looks like FUD, and it’s safe to assume a zero day exploit within signal would be patched ASAP.
In this first link you sent, Signal takes “Approach 1” which completely protects the recipient from risk. The only risk is the IP of the sender being leaked, but as they accurately note:
This might not be a problem if we can assume that the sender trusts the link that they’re sending, since they’re the ones taking action to send a link.
Hypothetically it could be that both normal images and link previews work as attack vectors but as they are separate settings someone could have disabled auto-image download while leaving link preview enabled.
Honestly I can’t think of a real world use case for an attack but given the lengths organizations like NSO have gone to implant spyware it does make me appreciate my own lack of malicious creativity.
Regardless I believe if Signal thought this was a real risk they would say so. Also Citizenlab or a similar organization would likely have spotted some malware campaign by now and they haven’t said anything to date.
I actually forgot you could disable media auto-downloads. Yeah, fair enough then