Title: Signal IDN homograph attacks
Advisory reference: BLAZE-01-2019 (CVE-2019-9970)
Disclosure mode: Coordinated disclosure
Signal is an encrypted communications app for Android and iOS. A desktop version is also available for Linux, Windows, and macOS.
It uses the Internet to send one-to-one and group messages, which can include files, voice notes, images and videos, and make one-to-one voice and video calls.
Signal uses standard cellular mobile numbers as identifiers, and uses end-to-end encryption to secure all communications to other Signal users. The applications include mechanisms by which users can independently verify the identity of their messaging correspondents and the integrity of the data channel. (from Signal's Wikipedia page)
Signal Desktop and Android are vulnerable to an IDN homograph attack when displaying messages containing URLs.
Homograph attack is a security vulnerability that can deceive users into thinking they are visiting a certain website when in fact they are directed to a different, but homograph, domain name. This type of vulnerability can be used to weaponize social engineering, significantly increasing the chances for a successful attack.
Upon receiving a message with a link, Signal renders it in a clickable format and the font used to display the message makes it impossible to distinguish between the legitimate URL and the malicious URL, for example:
Upon clicking on the malicious link, a user will be taken to http://blаzeinfosec.com/ instead of the real http://blazeinfosec.com, despite the fact the link is displayed exactly as the expected web site.
A sample attack scenario against a Signal mobile user:
- An activist or person of interest uses Signal for Android
- The person receives a URL in a Signal message disguised as a legitimate one and clicks on the link
- The malicious URL serves a one-click browser exploit
- Target gets infected with mobile malware
Additionally, the mobile version of Tor Browser (Orfox, in Android) is vulnerable to the same class of attack. Therefore, users of Signal with Tor Browser (which does not seem to be a rare combination) are vulnerable to full-blown phishing attacks.
Fix and recommendations
Blaze Information Security recommends Signal to "defang" URLs just like it is done in its iOS version.
URLs with mixed scripts (e.g., Latin and Cyrillic in the same domain name) or URLs using scripts not installed or enabled in the device should be displayed in the message as un-clickable.
Alternatively, Signal could implement the same strategy used by WhatsApp to mark the link as insecure, with a clear warning message to the user when an IDN homograph domain name is encountered in the message.
The vulnerability has been addressed by Signal at least in version 4.35.3 for Android. As of now, Windows-based Signal for Desktop is still vulnerable. Users should upgrade Signal to its latest version.
This vulnerability was discovered and researched by Julio Cesar Fort from Blaze Information Security (https://www.blazeinfosec.com)
31/01/2019: Initial contact asking for the vendor's PGP key
31/01/2019: Vendor responded asking for details of the vulnerability to be sent, surprisingly, via unencrypted e-mail
31/01/2019: Vulnerability details sent via unencrypted mail
01/02/2019: Signal responds "it seems like standard behavior here is to rely on the browser to disambiguate
these names (and the registrar to prevent issuance of ambiguous names)."
01/02/2019: Blaze responds citing one-click exploits and the case of Ahmed Mansoor and Pegasus malware as a credible attack scenario
03/02/2019: Blaze sends a report to Signal informing Tor Browser for Android is vulnerable, turning it into a full phishing chain
12/02/2019: Signal responds "We don't consider this a 'vulnerability' or 'bug'", despite evidence showing otherwise.
Unknown 2019: A fix was released - the vendor never informed Blaze about the fix.
23/03/2019: Advisory released
IDN homograph attack: https://en.wikipedia.org/wiki/IDN_homograph_attack
The Homograph Attack: http://www.cs.technion.ac.il/~gabr/papers/homograph_full.pdf
About Blaze Information Security
Blaze Information Security is a privately held, independent information security firm born from years of combined experience. With presence in South America and Europe, Blaze has a team of senior analysts with past experience in leading information security consulting companies around the world and a proven track record of published security research.
PGP key fingerprint: DB53 D9D9 F0E1 E513 4F52 8219 C33B C7FA C5D0 E926