Security News > 2022 > March > URL rendering trick enabled WhatsApp, Signal, iMessage phishing
A rendering technique affecting the world's leading messaging and email platforms, including Instagram, iMessage, WhatsApp, Signal, and Facebook Messenger, allowed threat actors to create legitimate-looking phishing messages for the past three years.
The vulnerabilities are rendering bugs resulting in the apps' interface incorrectly displaying URLs with injected RTLO Unicode control characters, making the user vulnerable to URI spoofing attacks.
CVE-2020-20093 - Facebook Messenger 227.0 or prior for iOS and 228.1.0.10.116 or prior on AndroidCVE-2020-20094 - Instagram 106.0 or prior for iOS and 107.0.0.11 or prior on AndroidCVE-2020-20095 - iMessage 14.3 or older for iOSCVE-2020-20096 - WhatsApp 2.19.80 or prior for iOS and 2.19.222 or prior on Android.
The released PoC abuses google.com for the masqueraded and clickable URL and sets bit.
After the injected RTLO control character, the URL gets reversed due to treating it as a "Right-to-left" language, so the threat actor has to consider when registering the destination domain.
Even stranger, while iMessage on iOS 15 shows the text in reverse in message list preview screen, it removes the reverse string in the actual message.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-03-23 | CVE-2020-20096 | Unspecified vulnerability in Whatsapp Whatsapp iOS 2.19.80 and prior and Android 2.19.222 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages. | 6.5 |
2022-03-23 | CVE-2020-20095 | Unspecified vulnerability in Apple Imessage iMessage (Messages app) iOS 12.4 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages. | 6.5 |
2022-03-23 | CVE-2020-20094 | Unspecified vulnerability in Facebook Instagram Instagram iOS 106.0 and prior and Android 107.0.0.11 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages | 6.5 |
2022-03-23 | CVE-2020-20093 | Unspecified vulnerability in Facebook Messenger The Facebook Messenger app for iOS 227.0 and prior and Android 228.1.0.10.116 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages. | 6.5 |