Signal Refutes Claim of Alleged Zero-Day Vulnerability

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

Signal, an encrypted messaging service denied claims about a possible zero-day flaw that could impact the security and privacy of its users.

The rumors, which started circulating over the weekend, warned users to turn off link previews on Signal. Thus, relating the security flaw to the ‘Generate Link Preview’ feature of the app. However, post investigation, the company confirmed that it found no evidence supporting this unverified claim.

It released a statement on X (formerly Twitter) about its investigation and the lack of evidence regarding the rumor about the claimed vulnerability in the software. It also advised users with any genuine knowledge about the flaw to contact their security team via security@signal.org.

‘’PSA: we have seen the vague viral reports alleging a Signal 0-day vulnerability. After responsible investigation, we have no evidence that suggests this vulnerability is real nor has any additional info been shared via our official reporting channels,’’ the statement on X read.

The company also tweeted that it had verified these claims with US government officials, cited as a source for this alleged vulnerability report.

‘’We also checked with people across the US Government, since the copy-paste report claimed USG as a source. Those we spoke to have no info suggesting this is a valid claim,’’ Signal stated.

The rumor which originated from an unverified source claimed that the flaw can grant unrestricted access to the app users’ device. Thus, allowing threat actors to deploy malware and extract personal information of the target for committing financial frauds or espionage campaigns.

The possibility of threat actors exploiting this vulnerability led to a widespread concern among the cybersecurity community , resulting in an outpouring of advice to disable the ‘Generate Link’ feature or update the app.

Launched in the beginning of 2018, Signal messaging platform is said to have more than 40 million users .

Credential Phishing Campaign Uses LinkedIn Smart Links to Target Microsoft Accounts

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

In a new phishing campaign targeting Microsoft credentials, hackers were seen exploiting the Smart Links feature of LinkedIn to evade detection and bypass email security measures.

Connected to LinkedIn Sales Navigator services, the smart links or ‘’slink’’ is used for marketing and tracking purposes by LinkedIn business accounts. This feature allows users to promote and measure content engagement via embedded links in emails.

As it uses a trusted domain, followed by a “code” parameter with an 8-alphanumeric character ID, the link easily bypasses various security email gateways (SEGs). Thus, it was exploited by threat actors to lure victims into clicking malicious links and disclose personal or official information.

Researchers at email security company, Cofense have observed the usage of this technique in September 2022 , as well. However, this extensive credential phishing campaign was targeted at multiple industries. It was seen using 80 unique smart links embedded in over 800 emails of various subjects, sent from newly created or previously compromised LinkedIn business accounts.

‘’The emails use generic subject lines that fit the themes of financial, human resources, documents, security, and general notifications,’’ Cofense revealed . Moreover, to add a sense of legitimacy, the victims were not only directed to a seemingly authentic Microsoft login page, but the designated link also contained their email addresses.

‘’The designated phishing kit will read the victim’s email attached to the Smart Link to autofill the malicious form to add to the illusion of legitimacy that the victim has landed at the legitimate Microsoft sign-in,’’ the investigation revealed.

According to Cofense, the primary targets of the campaign seemed to be users from the Finance and Manufacturing industries. However, victims from the Energy, Technology, Healthcare, Construction, Insurance, and Mining, were targeted as well.

‘’While it’s important to use email security suites, it is also essential for employees to constantly be up to date on their training to combat any phishing campaign. Employees must be taught not to click links from emails that seem suspicious or unexpected. ‘’