ASA-2019-00154 – Signal Private Messenger: Internationalized domain name (IDN) homograph attacks

Allele Security Alert



ASA-2019-00154, CVE-2019-9970


Internationalized domain name (IDN) homograph attacks


Signal Messenger LLC


Signal Desktop

Signal for Android

Affected version(s)

Signal Desktop versions through 1.23.1
Signal for Android versions through 4.35.3

Fixed version(s)


Proof of concept



Signal Desktop and Android are vulnerable to an IDN homograph attack when displaying messages containing URLs.

Technical details

Homograph attack is a security vulnerability that can deceive users into thinking they are visiting a certain website when in fact they are directed to a different, but homograph, domain name. This type of vulnerability can be used to weaponize social engineering, significantly increasing the chances for a successful attack.

Upon receiving a message with a link, Signal renders it in a clickable format and the font used to display the message makes it impossible to distinguish between the legitimate URL and the malicious URL, for example:

Legitimate URL:
Malicious URL: http://blа – with the ‘a’ as a Cyrillic character, not Latin

Upon clicking on the malicious link, a user will be taken to instead of the real, despite the fact the link is displayed exactly as the expected web site.

A sample attack scenario against a Signal mobile user:

  • An activist or person of interest uses Signal for Android
  • The person receives a URL in a Signal message disguised as a legitimate one and clicks on the link
  • The malicious URL serves a one-click browser exploit
  • Target gets infected with mobile malware

Additionally, the mobile version of Tor Browser (Orfox, in Android) is vulnerable to the same class of attack. Therefore, users of Signal with Tor Browser (which does not seem to be a rare combination) are vulnerable to full-blown phishing attacks.


Julio Cesar Fort (Blaze Information Security)


Signal IDN homograph attacks

Security advisory: Signal IDN homograph attack



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 9, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.