Signal-Desktop fails to sanitize unicode characters in URLs #4568
Comments
|
Perhaps related to signalapp/Signal-iOS#4582 |
|
We took a look at this and addressed it in f21dad1. Thanks for reporting! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Signal-Desktop fails to sanitize unicode in URLs
Signal will convert any URL inside a message into a clickable hyperlink, but Signal-Android will not convert an URL to an hyperlink if it contains an unicode character, presumably to avoid "punycode" attacks with similar-looking unicode characters faking a real URL.
However, Signal-Desktop will allow unicode characters in URLs if they are located located inside URL parameters. This can be used in a phishing attacks to users of Signal-Desktop.
Steps to Reproduce
google.com/search?q=SENO+I+CULOS
Send the message containing the malicious URL. All Signal clients for Android will detect the unicode u+202E 'RIGHT-TO-LEFT OVERRIDE' and wont convert the URL to hyperlink.
Signal-Desktop however, will convert the malicious URL to a link, and when pressed it will search instead for "https://www.google.com/search?q=%E2%80%AESENO+I+CULOS", a with an unexpected result for the user.
Actual Result:
Signal-Desktop converts the malicious URL to an hyperlink and allows the user to click it.
Expected Result:
Signal-Desktop detects the unicode inside the URL and don't convert it to an hyperlink, same behavior as Signal-Android.
Platform Info
Signal Version:
v1.36.3
Operating System:
Ubuntu 18.04 LTS
Linked Device Version:
Signal 4.71.5 Android
The text was updated successfully, but these errors were encountered: