CVE-2019-9970

Name of the Vulnerable Software and Affected Versions Open Whisper Signal (aka Signal-Desktop) versions 1.23.1 and earlier Signal Private Messenger application versions 4.35.3 and earlier for Android

Description The issue occurs when the application displays messages containing URLs, making it vulnerable to an IDN homograph attack. This happens because the application produces a clickable link even if Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets.

Recommendations For Open Whisper Signal (aka Signal-Desktop) versions 1.23.1 and earlier, update to a version later than 1.23.1 to resolve the issue. For Signal Private Messenger application versions 4.35.3 and earlier for Android, update to a version later than 4.35.3 to resolve the issue. As a temporary workaround, consider disabling the display of clickable links in messages until a patch is available.