漏洞描述

Open Whisper Signal是一款具有加密功能的桌面版即时聊天应用程序。Signal Private Messenger application for Android是一款基于Android平台的、具有加密功能的即时聊天应用程序。 Open Whisper Signal 1.23.1及之前版本和基于Android平台的Signal Private Messenger应用程序4.35.3及之前版本中存在安全漏洞。攻击者可利用该漏洞实施社会工程学攻击。

Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal Private Messenger application through 4.35.3 for Android are vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets.