Beware calls from unknown numbers - this top messaging app has placed millions of iOS and Android users at risk

(Image credit: Shutterstock / Illus_man)

UPDATED: We have updated this article following a response from Signal, which told us new, updated versions of the app are available to download now.

Researchers have identified a security vulnerability in popular privacy-centric messaging app Signal.

Discovered by security firm Tenable, the bug could allow hackers to gain access to users’ coarse location data and map out patterns of movement - such as time-periods during which a user is likely to be at home, work, or their favorite local haunt.

To execute an attack, the hacker need only use Signal to call another user, whose location could be compromised whether or not the call is answered.

The Signal messaging app features end-to-end encryption for both calls and text messages, attracting millions of privacy-conscious users every day across Android and iOS. Even infamous whistleblower and champion of data privacy Edward Snowden claims to “use Signal every day.”

Signal vulnerability

However, according to an advisory published by Tenable, the app is not as watertight from a privacy perspective as its users might expect.

The newly discovered flaw exploits the WebRTC code handling DNS requests on a user's device. This can be used to leak information about a user’s DNS, which can in turn reveal coarse location data and allow the hacker to identify the victim’s location within a 400 mile radius. 

While this might appear inconsequential to most, using coarse location data in conjunction with DNS server pings from different networks (domestic Wi-Fi, public hotspots, 4G connections etc.) could be used by the hacker to make more precise location assumptions.

Signal was quick to issue a patch for the vulnerability via GitHub, as well as a patch to the WebRTC project in order to help other potentially affected apps.

The company added that an updated version of the app is also available now on the Apple App Store and Google Play Store, which users should download immediately.

Tenable noted that although average Signal users aren’t to be impacted, for certain Signal users, the issue could be, "quite serious". As the flaw affects WebRTC code used in many other popular apps, the company notes that users of other services could also be at risk.

Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

Latest in Security
Close up of a person touching an email icon.
Criminals are using CSS to get around filters and track email usage
DeepSeek on a mobile phone
More US government departments ban controversial AI model DeepSeek
Ransomware
Fortinet firewall bugs are being targeted by LockBit ransomware hackers
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
NordProtect logo
Standalone identity theft protection from Nord Security is now available
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
Ofcom cracks down on UK tech firms, will issue sanctions for illegal content
Latest in News
Helly and Mark standing on an artificial hill surrounded by goats in Severance season 2 episode 3
New Apple teaser for Severance season 2 finale suggests we might finally find out what Lumon is doing with those goats, and I don't think it's anything good
Marvel Rivals
Marvel Rivals' next update will add two new hero skins for Iron Man and Spider-Man mains this week
Nvidia Isaac GROOT N1
“The age of generalist robotics is here" - Nvidia's latest GROOT AI model just took us another step closer to fully humanoid robots
Lego Pokemon
Pokemon and Lego announce the most electrifying collaboration of all time and I’m going to be first in line
Apple Watch app health
Apple Watch blood pressure monitoring tech revealed in patent
Using Zipped files and folders in Windows 11
Hidden clues suggest Microsoft is moving another part of Windows 11’s Control Panel to the Settings app – and this time it’s mouse options