Karsten Gebbert
SignalRight now there are a lot of new eyes on Signal, and not all of them are familiar with secure messaging and its nuances. Which means there’s misinfo flying around that might drive people away from Signal and private communications. 1/
One piece of misinfo we need to address is the claim that there are ‘vulnerabilities’ in Signal. This isn’t accurate. Reporting on a Pentagon advisory memo appears to be at the heart of the misunderstanding: https://npr.org/2025/03/25/nx-s1-5339801/pentagon-email-signal-vulnerability. The memo used the term ‘vulnerability’ in relation to Signal—but it had nothing to do with Signal’s core tech. It was warning against phishing scams targeting Signal users. 2/
Phishing isn’t new, and it’s not a flaw in our encryption or any of Signal’s underlying technology. Phishing attacks are a constant threat for popular apps and websites. 3/
In order to help protect people from falling victim to sophisticated phishing attacks, Signal introduced new user flows and in-app warnings. This work has been completed for some time and is unrelated to any current events. If you’re interested in learning more, this WIRED article from February 19th (over a month ago) goes into more detail:
https://wired.com/story/russia-signal-qr-code-phishing-attack/ 4/
https://wired.com/story/russia-signal-qr-code-phishing-attack/ 4/
Threadbane@signalapp
The technical level of security of Signal is irrelevant. Even using its vulnerability as an argument against it for secure government communications is merely a red herring, since the main issue is not the security breach, but the the Trump administration skirting government accountability and effectively creating an unaccountable shadow government outside the normal intelligence community..
The technical level of security of Signal is irrelevant. Even using its vulnerability as an argument against it for secure government communications is merely a red herring, since the main issue is not the security breach, but the the Trump administration skirting government accountability and effectively creating an unaccountable shadow government outside the normal intelligence community..
JamesTDG@Threadbane @signalapp exactly, the security of a tool is only as strong as its connections. It takes only ONE idiot to screw up the security of ANYTHING.
Disco3000@Threadbane @signalapp yep, and accidentally invite a journalist. Which wouldn’t have happened if a tool designed for secure military communications would have been used. There would be no journalist to add, because he wouldn’t have the security clearing. And most probably there would be an approval workflow (e.g. 4-eyes-principle) if someone is being added to a high security communication.
dexternemrodAnd that's why you do not want shadow-IT in your company (not sure if it was in this case, but looks like a pretty good example for me).
Still, trusting Signals encryption itself is a good decision.
Enno Rehling@disco3000 @Threadbane @signalapp that tool would also be created with federal and presidential records acts in mind. Add those to the felony charges for transmission of national defense information, and every official involved should go to jail for several years.
baconandcoconut@Threadbane @signalapp I think the technical level of security in Signal is relevant to the people using Signal for non-classified conversations which seems to be who they're addressing here.
Supermoosie@Threadbane
Military comms are designed to only allow personal that are pre vetted. You can't accidentally invite an outsider. The hardware is also secure.
These people have security comms people that travel with them to set up access to secure comms.
The other thing is Signal is not allowed on official phones and can't be downloaded.
This was on personal mobiles, which are unsecure and likely targeted and compromised by foreign intelligence.
It doesn't matter the encryption if Russia has a keylogger and screen capture software installed on the phone.
One of the party had just gone through Russian customs and would have had to hand their phone over and likely had software put on their phone.
China has also been in the US mobile system. So another way to put software on their phones.
Authoritarian countries have used routinely use spyware to surveil journalists, lawyers, political dissidents, and human rights activists
https://en.m.wikipedia.org/wiki/Pegasus_(spyware)
This is not the fault of Signal, but the underlying operating system of the phone. Particularly when up against adversaries with State level resources to target individuals.
Daniel@signalapp can you react to this blog post of Google: https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger?hl=en
ɹ uɐp 
@daccle @signalapp they already had
Signal (@[email protected])
One piece of misinfo we need to address is the claim that there are ‘vulnerabilities’ in Signal. This isn’t accurate. Reporting on a Pentagon advisory memo appears to be at the heart of the misunderstanding: https://npr.org/2025/03/25/nx-s1-5339801/pentagon-email-signal-vulnerability. The memo used the term ‘vulnerability’ in relation to Signal—but it had nothing to do with Signal’s core tech. It was warning against phishing scams targeting Signal users. 2/
@dannotdaniel @signalapp thank you!
Morten@signalapp Yeah, can't really call "idiot added Jeff Goldberg to the group chat because he confused him for Jeff Goldblum" a sophisticated phishing attack
@signalapp I am joking. Although... The best jokes carry a kernel of truth.
S1m@signalapp This is an example of how Signal should improve its vulnerability disclosure.
cf. the OWASP guide: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html#disclosure
Even if this is an UX improvement here, there should be a place resuming the identified problem and its impact, the vulnerable versions, the patched versions, the patch, etc.
Well made vulnerability improves confidence for the software because it shows maturity on the matter. It also avoid opportunistic attackers looking at the git log to identify and exploit bugs with fixes that aren't released yet
@signalapp there seems to be a community effort to respond to the need: https://community.signalusers.org/t/overview-of-third-party-security-audits/13243/12
Overview of third-party security audits
Let’s collect past security audits here: Formal audits Year Auditor(s) Sponsor App/Component Published Link Last update / extended 2013 iSEC Partners (NCC Group) Open Technology Fund RedPhone and TextSecure ❌ Blog post 2014 Frosch et al. German Ministry of Research and Education TextSecure Protocol ✅ PDF 2016 Schröder et al. Internet Society Key fingerprint verification ✅ PDF 2016 Cohn-Gordon et al. Various research grants Signal Protocol ...
StoneBear 
@signalapp This Wired article is paywalled. Care to provide an archived copy, or write your own explainer?
Andrew Singleton@signalapp If someone in the conversation shares that conversation... that's outside of the app's control.
Just like anything else. If there is physical access to the thing, it is not secure.
Robert HFirst day in security:
(1) Something you are.
(2) Something you have.
(3) Something you know.
#Signal doesn't have all three
Chris@signalapp Just avoid becoming like Durov, facing scrutiny for enabling individuals to commit crimes through your platform. It appears that lawmakers these days have lower IQs than a fish stick.
Devil 
@signalapp Thanks for the explanation!
@signalapp it isn’t surprising that NPR would get it wrong.
Acroamatis 🇨🇦In what way did the NPR article get it wrong? They reported on a government memo suggesting vulnerability, but also contacted Signal to get the actual truth.
@acroamatis @signalapp Well one of us can’t read.
Joyful Jonny
Oriel Jutty 
Keith BöhlerIt also kind of misses the point that they are using Signal to avoid FOIA stuff.
SamuelJohnson@keithnator3000 @byuck @signalapp Nope. Classified material isn't available using that. They intended to avoid complying with the Government Records Act, which would ensure an archival record.
@keithnator3000 @byuck @signalapp The relevant acts are the Espionage Act and the Government Records Act, not the Freedom of Information Act. First two violated and 3rd not relevant.
If its not archived it can't be foia later when classification changes. Or even investigated internally. Try and be aware so you don't talk past people.
@keithnator3000 There is a hierarchy and sequence of applicablility. There is no guarantee of FOIA ever applying even if other laws weren't broken.
Shirley Eugest
KevinOnEarth
John Kavanagh@signalapp someone needs to explain that public servants should not be using encryption to evade retroactive scrutiny... the US President's + aide's devices should be backed up continuously and the device's keys time-unlocked every 4 years.
DoesThisNeedAGround?@signalapp The official vulnerability is CVE-2025-ID10T : There is no security that can safeguard against human stupidity. #signal #signalgate
Matv1@signalapp I wouldn't worry about that too much. By now it must be abundantly clear to everyone interested in securing their comms, that US national security institutes should no longer be considered a reliable source for infosec threat information in any way. Like everything else he touches, they are now a Trump weapon.
Ian Molton 🇺🇦🇵🇸🏳️🌈🏳️⚧️@matv1 @signalapp 'no longer' LOL
Evie. 😘@signalapp The biggest complaint I'm seeing is that Signal doesn't store conversations on its servers, so there's no way to recover them for transparency purposes. So is this true? Can chats, for example, from a Republican "National Security Team" who "accidentally added" a reporter to their chat be recovered for the Freedom of Information Act, or are those chats just gone forever? That’s why people are calling Signal an unsecured messaging app. Because officials are using it to bypass our laws.
George BThat is accurate but unsecured is probably not the right adjective to describe that.
Noncompliant would be better because it's not compliant with the requirements for government messaging but also has never claimed to be.
beaumains@evrenozara @signalapp the chats are likely gone forever, unless they willingly give up their devices with the chats undeleted.
I've heard people calling Signal "unapproved" but not "unsecured".
@beaumains @signalapp I've mostly seen it on Facebook, tbh, but "unsecured," is thrown around a lot on there. Brian Tyler Cohen also called it unsecured in a video he posted yesterday. That's why I was looking for clarification, honestly. 🤷🏻♀️
Kiloku - Secretário do Caos@evrenozara @signalapp this doesn't make it insecure, it makes it unfit for usage by officials. It wasn't *made* for that purpose, it's meant for the general public. That's not a failing of the app, it's a failing of the officials.
The US federal government has communication systems that the officials have access to and that fit the record keeping requirements, as well as other advantages for official use (not being able to add an unauthorized person for example). They just didn't use those.
RJ@signalapp an idiot sending a message to the wrong group is not your problem. It's theirs.
Dr. Sobek
Mark Gjøl@signalapp A vulnerability to Signal isn't Signal's fault, but that of the platform. Your device might be compromised, your keyboard might. There is a reason why these discussions take place in a secure room, mobile devices left behind. It's not that Signal is doing a bad job, but the level of security required for this is beyond Signal's control.
fat synths at the function 
@signalapp gotta rename urselves to Rizznal then
StarrWulfe 🌟🐺 (JLGatewood)Of course a lot of new eyes are also checking y’all out since apparently our national security folks just said “fuck a SCIF, let’s throw it all into chat”
Wonder if the Secretary of Dranks Defense got phished and finessed out of those war plans…?
@signalapp oh, and I am a fan of Signal, it’s not only quite possibly the most secure messaging platform but also forms the underpinning of other secure messaging systems too.
Not sure there’s a way to build in something to counter the incompetence of our officials in the code unfortunately.
sdem21 🏴 🇨🇾 🇪🇺 🇺🇦@signalapp Incompetent people in an equally incompetent administration. Failure of those people and not Signal.
w7com@signalapp This is why I double ROT13 all my messages.
Alexis (She/Her)@admin @signalapp to be really secure you should really send a cipher key to the chat and then use the cipher on every message.
Excessive Minimalism@admin @signalapp
At first I was unsure if encrypting my messages would do anything, but after reading your message I did a complete 360 on the issue.
At first I was unsure if encrypting my messages would do anything, but after reading your message I did a complete 360 on the issue.
Bill the Lizard@signalapp Some of those not familiar with secure messaging and its nuances are in our government.
Kevin Karhan 
@signalapp It's not #disinfo when one points out that you demand #PII aka. #PhoneNumbers from Users and that is literally a architectural vulnerability, alongside your #proprietary & #Centralized #Infrastructure.
- #Signal being a #SingleVendor & #SingleProvider #Solution is literally the reason why I consider it #insecure.
Not to mention the lack of @torproject / #Tor support with an #OnionService or the willingness to fulfill #cyberfacist "Embargoes" or shilling a #Shitcoin #Scam named #MobileCoin!
- #KYC is the illicit activity!!!
And don't get me started on the #cyberfacism that is #CloudAct.
- If you were secure, criminals would've used your platform so hard, it would've been shutdown like #EncroChat and #SkyECC.
I may nit have allvthe.evidence yet, but #Signal stenches like #ANØM: #Honeypot-esque!
CpyJx 🍉Signal was originally created to replace text/SMS, which is why a phone number is required. It started as an encrypted layer over SMS/MMS.
Being open source allows scrutiny. Being centralized doesn't equal insecure and Criminal usage is not proof of security. Cloud Act affects all US firms.
> I may nit have allvthe.evidence yet ...
So spread FUD potentially pushing people to less secure platforms? Not cool tbh.
Apicultor 🐝@apicultor @signalapp @torproject not shure how you come about drugs, but I'm known to, be clinically sober as a matter of principle.
I am Jack's Lost 404What they didn't say is that the war plans came from chatgpt, target coordinates and all (with citations of course 👍 )