quiet
quiet copied to clipboard
Quiet is vulnerable to IDN Homograph Attacks
I was testing Quiet and I found that is vulnerable to IDN Homograph Attacks (https://en.wikipedia.org/wiki/IDN_homograph_attack)
Description
When receiving a message, Quiet renders a homographic link in a clickable format, the font makes it almost impossible to tell the difference (check attachment). This is a vulnerability that was also fixed on Signal (CVE-2019-9970).
Reproduction
In this example I used: https://tryquiet.org/ https://tryqᴜiet.org/
Recommendation
Make the URL non-clickable, or shows like Punycode (https://en.wikipedia.org/wiki/Punycode) like the majority of the browsers do, or at least shows some warning.
Other references
https://www.blazeinfosec.com/post/cve-2019-9970-signal-idn-homograph-attack/