Homograph attacks demonstrated in mobile messaging apps

Homograph attacks are not just an issue for web browsers – they have been shown to cause headaches for users of mobile messaging apps, too.

Researchers at Blaze Security have demonstrated bugs against Signal, Telegram, and the Tor browser that might be used as part of social engineering attacks – pushing users towards hacker-controlled sites that host either malicious code, or a phishing attacks aiming to hoodwink prospective marks into handing over their login details.

The introduction of Unicode in domain names opened up the web to multiple languages, internationalizing it but also allowing the registering of domain names using different alphabets and Unicode characters – some which look like characters in English. These homograph attacks, using lookalike domain names to trick users, have been a feature of phishing attacks for years.

Hackers typically mount a homograph attack by registering a domain containing non-ASCII characters that are visually similar to English characters.

Latin, Greek, and Cyrillic scripts share numerous characters that are difficult to distinguish apart visually, opening the door for hackers to register dodgy domains that impersonate real brands.

For example, users of the cryptocurrency exchange MyEtherWallet and GitHub have been targeted with phishing attacks based on the trick.

Security researchers have explored this domain of malfeasance, but up until now these efforts have focused on how users of browsers and email clients might be fooled by homoglyph-themed trickery.

Two practical exploits against Signal, Telegram, and Tor Browser – developed by researchers at Blaze Security – show that a similar, but thus far largely overlooked, threat exists for users of security-orientated mobile messaging apps. The trick makes it difficult, if not impossible, for a user to distinguish between a legitimate URL and a malicious link.

In response to the threat, browsers such as Google Chrome only displays suspicious URLs in punycode – making the use of lookalike domains more apparent. But this security control is absent in Firefox and by extension Tor, allowing a deceitful link sent through either Signal or Telegraph to be opened in Tor without any apparent warning.

Other popular instant messengers including Slack, Facebook Messenger, and WhatsApp were not vulnerable to this class of attack.

“The latest versions of WhatsApp go as far as showing a label in the link to warn users it can be malicious, where other messengers simply render the link un-clickable,” an advisory from Blaze Security explains.

The bugs found in Signal and Telegram have been assigned identifiers CVE-2019-9970 and CVE-2019-10044, respectively and were both fixed (without announcement) by Telegram and Signal, respectively, before Blaze Security went public with its findings.

What you see is *not* what you get

Confusable homographs have been a threat for years. Attacks have been seen in the wild, where they are often classified as a type of social-engineering attack. Blaze Security argues that application developers ought to, and can, do more to defend against this class of attack.

Security-conscious users generally operate on the maxim that depending on any visual check is risky, but most surfers will not be as rigorous – hence the problem. Putting the emphasis on users in the event of attacks is inadequate, according to Blaze Security.

“Application security teams should step up their game and be proactive at preventing such attacks from happening (like Google did with Chrome), instead of pointing the blame to registrars, relying on user awareness to not bite the bait or waiting for ICANN to come up with a magic solution to the problem,” it concludes.