quiet icon indicating copy to clipboard operation
quiet copied to clipboard

Published 20 hours ago verified publisher icon TryQuiet

Quiet is vulnerable to IDN Homograph Attacks

Open m0nad opened this issue 9 months ago • 3 comments

I was testing Quiet and I found that is vulnerable to IDN Homograph Attacks (https://en.wikipedia.org/wiki/IDN_homograph_attack)

Description

When receiving a message, Quiet renders a homographic link in a clickable format, the font makes it almost impossible to tell the difference (check attachment). This is a vulnerability that was also fixed on Signal (CVE-2019-9970).

Reproduction

In this example I used: https://tryquiet.org/ https://tryqᴜiet.org/

Recommendation

Make the URL non-clickable, or shows like Punycode (https://en.wikipedia.org/wiki/Punycode) like the majority of the browsers do, or at least shows some warning.

Other references

https://www.blazeinfosec.com/post/cve-2019-9970-signal-idn-homograph-attack/

m0nad avatar Sep 14 '23 09:09 m0nad