Signal, the messaging app that helped popularise encrypted communications, is under the microscope after senior officials from President Donald Trump's administration inadvertently disclosed military plans to attack the Houthis in Yemen.
The California-based company this week said it has been the subject of misinformation after a journalist was added to a Signal chat with Vice President JD Vance and other Cabinet members, and voiced concerns the scandal could drive people away from the platform.
“One piece of misinfo we need to address is the claim that there are ‘vulnerabilities’ in Signal,” the messaging platform posted on X. “Signal remains the gold standard for private, secure communications.”
Signal said the supposed vulnerability had nothing to do with the app's core tech, but instead was based on a Pentagon memo alerting personnel to potential phishing attacks on the platform.
“Phishing isn’t new, and it’s not a flaw in our encryption or any of Signal’s underlying technology,” the Signal post stated.
Rather than there being an obvious issue with Signal's encryption, the attack plan scandal stems from user error after National Security Advisor Mike Waltz, or someone using his account, added Jeffrey Goldberg, editor-in-chief of The Atlantic, to the group.
Amid the finger pointing, a debate is growing on whether the Signal Messenger app should even be used by government officials in the first place.
Like its rivals, Signal boasts “state of the art, end-to-end encryption”, but experts say such security features matter little if the app's users are careless.
“Often the Defence Department will urge against using these apps for secure communication because humans will be humans and they can't be trusted to use it correctly,” Robert Graham, chief executive of Atlanta-based cyber security company Errata Security, told The National. “That was verified by this whole story – a journalist was accidentally added to the group.”
Signal chat leaks: Messages appear to show Hegseth reveal Houthi plans
The Trump administration says members of the former president Joe Biden's team also used Signal, though sceptics said it was rarely, if ever, deployed to discuss military plans.
Regardless, in 2024 the US Cybersecurity & Infrastructure Security Agency (CISA) issued a “best practices” guide which mentioned that end-to-end encrypted messaging apps like Signal would be preferred for secure communication. But that same guidance also points out that “no single solution eliminates all risks”.
In recent congressional hearings this week, lawmakers noted that military planning, such as a strike on Yemen, should have never take place on a messaging app.
Just days before details of the Signal chat were published, the Pentagon had warned various staffers against using apps like Signal, due to the potential for it to be a “high value target” for professional Russian hacking groups. That warning also pointed out that the devices installed with apps like Signal could be infected with malware that renders encryption meaningless.
“The problem with Signal, is that yes, it's end-to-end encrypted, but one of those ends, the devices, might not be secure, and that's a problem,” Mr Graham said, echoing the Pentagon's warning about using messaging apps for highly sensitive conversations.
He also said that phishing attempts from nefarious actors could also nullify security features, especially when users try to use the apps on their phones and computers simultaneously, often requiring a code to synch the content.
“So the phishing attacks are sent out using these bar codes, trying to get people to unknowingly link the hackers laptop with the user's phone, so they would go see the messages.
Signal said that in order to help protect people from falling victim to sophisticated phishing attacks, it had introduced new in-app warnings. The company also said it routinely conducts security audits and addresses any potential flaws “with quickness.”
Ultimately, Mr Graham said, Signal is one of the more secure messaging apps out there, which is why so many government officials in various countries use it. But it should have been a no-brainer to avoid using it to discuss military plans.
“That's what SCIFs are for,” he said, using the abbreviation for sensitive compartmented information facilities. “They put SCIFs in offices, homes, they have them in embassies, and they're not always convenient, but that's the whole point.”
“You have to get into the habit of 'We need to have a conversation, let's go to a SCIF'. There's a high principle here in that the area is secure and you don't need to worry about journalists because the endpoints are secure.”
Although US National Security Adviser Mike Waltz has accepted responsibility for the fallout from the use of Signal, he still hasn't disclosed how the journalist was added to the group chat.
Meanwhile, Signal founder Moxie Marlinspike is using the incident as a way to promote the platform with a hint of humour.
“There are so many great reasons to be on Signal. Now including the opportunity for the vice president of the United States of America to randomly add you to a group chat for co-ordination of sensitive military operations. Don’t sleep on this opportunity,” he posted on X.
