Cybersecurity specialist Adam Donenfield shared an unusual failure he encountered while using the Signal messenger.

The issue arose when unknown users, labeled as “Signal Connection,” were added to Donenfield’s list of trusted contacts. Furthermore, Donenfield noticed two attempts by VoIP Zavzov, raising suspicions about the unusual nature of the situation.

The glitch resulted in third-party contacts being added to Donenfield’s list, leading to the appearance and subsequent blocking of contacts with identical names. Initially, around 20 such anomalies were present on the list, but unexpectedly increased to over 100 upon subsequent logins to the application. Donenfield also linked the VoIP calls to potential vulnerabilities or errors in VoIP technology, suggesting the existence of a zero-day vulnerability.

Similar issues were reported among users in Russia, suggesting a widespread impact of the problem.

Signal’s Head, Meredith Whittacer explained that the problem was not the result of targeted Zero Click attacks, but rather a result of a privacy setting error. This error unintentionally linked the phone number with the user’s name. Whittacer assured users that the development team is already working on resolving the issue.

Donenfield confirmed that he was using the latest versions of both iOS 17.4 and Signal 7.2. He noted that updates addressing these issues were released the next day after the problem was discovered.

An important feature introduced in Signal 7.0 in March of this year was the option to use nicknames instead of phone numbers. This feature, initially tested in February with a limited group of users, is now available to all, allowing users to communicate in the messenger without disclosing their real phone numbers.

* The social network mentioned is prohibited in the Russian Federation.

/Reports, release notes, official announcements.