Open Whisper Signal Homograph Domain Spoofing Vulnerability [CVE-2019-9970]

CVE Number – CVE-2019-9970

Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal Private Messenger application through 4.35.3 for Android are vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets.

Vulnerable versions :-

Signal Private Messenger 4.35.3 
Signal Private Messenger 4.34.8 
Signal Private Messenger 4.33 
Signal Private Messenger 4.32.8 
Signal Private Messenger 4.31.3 
Signal Private Messenger 4.23 
Signal Private Messenger 4.11.3 
Signal Private Messenger 4.10.10 
Signal Private Messenger 4.10.7 
Signal Private Messenger 4.9 
Signal Private Messenger 4.6 
Signal Private Messenger 4.0 
Signal Private Messenger 3.26 
Signal Private Messenger 3.24 
Signal Private Messenger 3.17 
Signal Private Messenger 3.14.1 
Signal Private Messenger 3.1.1 
Signal Desktop 1.23.1 
Signal Desktop 1.23 
Signal Desktop 1.21 
Signal Desktop 1.19 

For updates / fix’s please visit https://signal.org/

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: