Allele Security Alert
Internationalized domain name (IDN) homograph attacks
Signal Messenger LLC
Signal for Android
Signal Desktop versions through 1.23.1
Signal for Android versions through 4.35.3
Proof of concept
Signal Desktop and Android are vulnerable to an IDN homograph attack when displaying messages containing URLs.
Homograph attack is a security vulnerability that can deceive users into thinking they are visiting a certain website when in fact they are directed to a different, but homograph, domain name. This type of vulnerability can be used to weaponize social engineering, significantly increasing the chances for a successful attack.
Upon receiving a message with a link, Signal renders it in a clickable format and the font used to display the message makes it impossible to distinguish between the legitimate URL and the malicious URL, for example:
Upon clicking on the malicious link, a user will be taken to http://xn--blzeinfosec-zij.com/ instead of the real http://blazeinfosec.com, despite the fact the link is displayed exactly as the expected web site.
A sample attack scenario against a Signal mobile user:
- An activist or person of interest uses Signal for Android
- The person receives a URL in a Signal message disguised as a legitimate one and clicks on the link
- The malicious URL serves a one-click browser exploit
- Target gets infected with mobile malware
Additionally, the mobile version of Tor Browser (Orfox, in Android) is vulnerable to the same class of attack. Therefore, users of Signal with Tor Browser (which does not seem to be a rare combination) are vulnerable to full-blown phishing attacks.
Julio Cesar Fort (Blaze Information Security)
Signal IDN homograph attacks
Security advisory: Signal IDN homograph attack
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 9, 2019