ASA-2019-00154 – Signal Private Messenger: Internationalized domain name (IDN) homograph attacks


Allele Security Alert

ASA-2019-00154

Identifier(s)

ASA-2019-00154, CVE-2019-9970

Title

Internationalized domain name (IDN) homograph attacks

Vendor(s)

Signal Messenger LLC

Product(s)

Signal Desktop

Signal for Android

Affected version(s)

Signal Desktop versions through 1.23.1
Signal for Android versions through 4.35.3

Fixed version(s)

Unknown

Proof of concept

Yes

Description

Signal Desktop and Android are vulnerable to an IDN homograph attack when displaying messages containing URLs.

Technical details

Homograph attack is a security vulnerability that can deceive users into thinking they are visiting a certain website when in fact they are directed to a different, but homograph, domain name. This type of vulnerability can be used to weaponize social engineering, significantly increasing the chances for a successful attack.

Upon receiving a message with a link, Signal renders it in a clickable format and the font used to display the message makes it impossible to distinguish between the legitimate URL and the malicious URL, for example:

Legitimate URL: http://blazeinfosec.com
Malicious URL: http://blаzeinfosec.com – with the ‘a’ as a Cyrillic character, not Latin

Upon clicking on the malicious link, a user will be taken to http://xn--blzeinfosec-zij.com/ instead of the real http://blazeinfosec.com, despite the fact the link is displayed exactly as the expected web site.

A sample attack scenario against a Signal mobile user:

  • An activist or person of interest uses Signal for Android
  • The person receives a URL in a Signal message disguised as a legitimate one and clicks on the link
  • The malicious URL serves a one-click browser exploit
  • Target gets infected with mobile malware

Additionally, the mobile version of Tor Browser (Orfox, in Android) is vulnerable to the same class of attack. Therefore, users of Signal with Tor Browser (which does not seem to be a rare combination) are vulnerable to full-blown phishing attacks.

Credits

Julio Cesar Fort (Blaze Information Security)

Reference(s)

Signal IDN homograph attacks
https://github.com/blazeinfosec/advisories/blob/c70c90bc7f8d82d4d20c42260770cbdeec834623/signal-advisory.txt

Security advisory: Signal IDN homograph attack
https://wildfire.blazeinfosec.com/security-advisory-signal-idn-homograph-attack-2/

CVE-2019-9970
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9970

CVE-2019-9970
https://nvd.nist.gov/vuln/detail/CVE-2019-9970

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 9, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.