Signal is prone to a domain-spoofing vulnerability because it fails to adequately handle homographs in international domain name (IDN) domains.
An attacker may leverage this issue to spoof a domain that visually resembles a legitimate domain. This may lead to a false sense of trust because the user may be presented with a URI of a seemingly trusted domain while interacting with the attacker's malicious site.
The following products and versions are vulnerable:
Signal Desktop through 1.23.1
Signal Private Messenger through 4.35.3
Information
Signal Private Messenger 4.34.8
Signal Private Messenger 4.33
Signal Private Messenger 4.32.8
Signal Private Messenger 4.31.3
Signal Private Messenger 4.23
Signal Private Messenger 4.11.3
Signal Private Messenger 4.10.10
Signal Private Messenger 4.10.7
Signal Private Messenger 4.9
Signal Private Messenger 4.6
Signal Private Messenger 4.0
Signal Private Messenger 3.26
Signal Private Messenger 3.24
Signal Private Messenger 3.17
Signal Private Messenger 3.14.1
Signal Private Messenger 3.1.1
Signal Desktop 1.23.1
Signal Desktop 1.23
Signal Desktop 1.21
Signal Desktop 1.19
Exploit
The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.
References: