ASA-2019-00155 – Telegram: Internationalized domain name (IDN) homograph attacks

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00155

Identifier(s)

ASA-2019-00155, CVE-2019-10044

Title

Internationalized domain name (IDN) homograph attacks

Vendor(s)

Telegram Messenger LLP

Product(s)

Telegram for iPhone and iPad
Telegram for Android
Telegram for Windows
Telegram for Linux

Affected version(s)

All versions of Telegram for iPhone and iPad
All versions of Telegram for Android
All versions of Telegram for Windows
All versions of Telegram for Linux

Fixed version(s)

Telegram for Windows 1.5.12
The status of other products is unknown

Proof of concept

Unknown

Description

Telegram (tested on all mobile versions and Linux and Windows for desktop) is vulnerable to an IDN homograph attack when displaying messages containing URLs.

Homograph attack is a security vulnerability that can deceive users into thinking they are visiting a certain website when in fact they are directed to a different, but homograph, domain name. This type of vulnerability can be used to weaponize social engineering, increasing the chances for a successful attack.

Upon receiving a message with a link, Telegram renders it in a clickable format and the font used to display the message makes it impossible to distinguish between the legitimate URL and the malicious URL, for example:

Legitimate URL: http://blazeinfosec.com
Malicious URL: http://blаzeinfosec.com – with the ‘a’ as a Cyrillic character, not Latin

On top of that Telegram renders a preview of the web site, making it even more deceptive for a user.

Upon clicking on the malicious link, a user will be taken to http://xn--blzeinfosec-zij.com/ instead of the real http://blazeinfosec.com, despite the fact the link is displayed exactly as the expected web site.

A sample attack scenario against a Telegram user:

  • An activist or person of interest uses Telegram
  • The person receives a URL in a Telegram message disguised as a legitimate, Telegram renders a preview
  • The user clicks on the link
  • The malicious URL serves a one-click browser exploit
  • Target gets infected with mobile or desktop malware

Additionally, the mobile and desktop versions of Tor Browser is vulnerable to the same class of attack. Therefore, users of Telegram with Tor Browser are prone to full-blown phishing attacks.

Technical details

Unknown

Credits

Julio Cesar Fort (Blaze Information Security)

Reference(s)

Security advisory: Telegram instant messenger IDN homograph attack
https://wildfire.blazeinfosec.com/security-advisory-telegram/

CVE-2019-10044
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10044

CVE-2019-10044
https://nvd.nist.gov/vuln/detail/CVE-2019-10044

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 25, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.