Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal Private Messenger application through 4.35.3 for Android are vulnerable to an IDN homograph attack when displaying messages containing URLs. This occurs because the application produces a clickable link even if (for example) Latin and Cyrillic characters exist in the same domain name, and the available font has an identical representation of characters from different alphabets.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Private_messenger | Signal | * | 4.35.3 (including) |
| Signal-desktop | Signal | * | 1.23.1 (including) |