You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have searched open and closed issues for duplicates
Signal-Desktop fails to sanitize unicode in URLs
Signal will convert any URL inside a message into a clickable hyperlink, but Signal-Android will not convert an URL to an hyperlink if it contains an unicode character, presumably to avoid "punycode" attacks with similar-looking unicode characters faking a real URL.
However, Signal-Desktop will allow unicode characters in URLs if they are located located inside URL parameters. This can be used in a phishing attacks to users of Signal-Desktop.
Steps to Reproduce
Copy the following URL and paste it into a message for a group or a private message inside Signal-Desktop (Note: the URL contains a u+202E unicode and github won't convert it to an hyperlink):
google.com/search?q=SENO+I+CULOS
Send the message containing the malicious URL. All Signal clients for Android will detect the unicode u+202E 'RIGHT-TO-LEFT OVERRIDE' and wont convert the URL to hyperlink.
Signal-Desktop fails to sanitize unicode in URLs
Signal will convert any URL inside a message into a clickable hyperlink, but Signal-Android will not convert an URL to an hyperlink if it contains an unicode character, presumably to avoid "punycode" attacks with similar-looking unicode characters faking a real URL.
However, Signal-Desktop will allow unicode characters in URLs if they are located located inside URL parameters. This can be used in a phishing attacks to users of Signal-Desktop.
Steps to Reproduce
google.com/search?q=SENO+I+CULOS
Send the message containing the malicious URL. All Signal clients for Android will detect the unicode u+202E 'RIGHT-TO-LEFT OVERRIDE' and wont convert the URL to hyperlink.
Signal-Desktop however, will convert the malicious URL to a link, and when pressed it will search instead for "https://www.google.com/search?q=%E2%80%AESENO+I+CULOS", a with an unexpected result for the user.
Actual Result:
Signal-Desktop converts the malicious URL to an hyperlink and allows the user to click it.
Expected Result:
Signal-Desktop detects the unicode inside the URL and don't convert it to an hyperlink, same behavior as Signal-Android.
Platform Info
Signal Version:
v1.36.3
Operating System:
Ubuntu 18.04 LTS
Linked Device Version:
Signal 4.71.5 Android
The text was updated successfully, but these errors were encountered: