Security News > 2022 > March > URL rendering trick enabled WhatsApp, Signal, iMessage phishing

URL rendering trick enabled WhatsApp, Signal, iMessage phishing
2022-03-25 15:51

A rendering technique affecting the world's leading messaging and email platforms, including Instagram, iMessage, WhatsApp, Signal, and Facebook Messenger, allowed threat actors to create legitimate-looking phishing messages for the past three years.

The vulnerabilities are rendering bugs resulting in the apps' interface incorrectly displaying URLs with injected RTLO Unicode control characters, making the user vulnerable to URI spoofing attacks.

CVE-2020-20093 - Facebook Messenger 227.0 or prior for iOS and 228.1.0.10.116 or prior on AndroidCVE-2020-20094 - Instagram 106.0 or prior for iOS and 107.0.0.11 or prior on AndroidCVE-2020-20095 - iMessage 14.3 or older for iOSCVE-2020-20096 - WhatsApp 2.19.80 or prior for iOS and 2.19.222 or prior on Android.

The released PoC abuses google.com for the masqueraded and clickable URL and sets bit.

After the injected RTLO control character, the URL gets reversed due to treating it as a "Right-to-left" language, so the threat actor has to consider when registering the destination domain.

Even stranger, while iMessage on iOS 15 shows the text in reverse in message list preview screen, it removes the reverse string in the actual message.


News URL

https://www.bleepingcomputer.com/news/security/url-rendering-trick-enabled-whatsapp-signal-imessage-phishing/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-03-23 CVE-2020-20096 Unspecified vulnerability in Whatsapp
Whatsapp iOS 2.19.80 and prior and Android 2.19.222 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages.
network
low complexity
whatsapp
6.5
2022-03-23 CVE-2020-20095 Unspecified vulnerability in Apple Imessage
iMessage (Messages app) iOS 12.4 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages.
network
low complexity
apple
6.5
2022-03-23 CVE-2020-20094 Unspecified vulnerability in Facebook Instagram
Instagram iOS 106.0 and prior and Android 107.0.0.11 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages
network
low complexity
facebook
6.5
2022-03-23 CVE-2020-20093 Unspecified vulnerability in Facebook Messenger
The Facebook Messenger app for iOS 227.0 and prior and Android 228.1.0.10.116 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages.
network
low complexity
facebook
6.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Whatsapp 5 1 11 13 16 41
Signal 3 1 7 5 1 14