Signal investigated rumours of a zero-day security vulnerability related to its 'Generate Link Previews' feature and found no evidence of the alleged vulnerability, widely reported on Twitter and by various sources.

The issue came to light when several reports circulated over the weekend of 14 and 15 October, suggesting that a new zero-day vulnerability had emerged, potentially allowing attackers to take full control of devices. These claims quickly spread through online communities and the cybersecurity world.

In response to these reports, Signal released a statement on Twitter, stating, 'PSA: we have seen the vague viral reports alleging a Signal 0-day vulnerability. After responsible investigationwe have no evidence that suggests this vulnerability is real, nor has any additional info been shared via our official reporting channels.'

While Signal asserts that there is no evidence of a new zero-day vulnerability, they have encouraged anyone with valid information to contact their security team. As the investigation is ongoing, users are advised to temporarily turn off the Link Previews feature until its authenticity is fully confirmed.

Why does it matter?

Zero-day vulnerabilities in Signal are in high demand and can fetch substantial sums in the cybersecurity community. Organsations and individuals with malicious intent are willing to pay large amounts for these flaws, as they can lead to remote code execution on targeted devices.

For instance, zero-day broker Operation Zero is reportedly willing to pay as much as$1.5 million for a Signal zero-day vulnerability that enables remote code execution.