Security News > 2022 > March > URL rendering trick enabled WhatsApp, Signal, iMessage phishing

A rendering technique affecting the world's leading messaging and email platforms, including Instagram, iMessage, WhatsApp, Signal, and Facebook Messenger, allowed threat actors to create legitimate-looking phishing messages for the past three years.

The vulnerabilities are rendering bugs resulting in the apps' interface incorrectly displaying URLs with injected RTLO Unicode control characters, making the user vulnerable to URI spoofing attacks.

CVE-2020-20093 - Facebook Messenger 227.0 or prior for iOS and 228.1.0.10.116 or prior on AndroidCVE-2020-20094 - Instagram 106.0 or prior for iOS and 107.0.0.11 or prior on AndroidCVE-2020-20095 - iMessage 14.3 or older for iOSCVE-2020-20096 - WhatsApp 2.19.80 or prior for iOS and 2.19.222 or prior on Android.

The released PoC abuses google.com for the masqueraded and clickable URL and sets bit.

After the injected RTLO control character, the URL gets reversed due to treating it as a "Right-to-left" language, so the threat actor has to consider when registering the destination domain.

Even stranger, while iMessage on iOS 15 shows the text in reverse in message list preview screen, it removes the reverse string in the actual message.

News URL

https://www.bleepingcomputer.com/news/security/url-rendering-trick-enabled-whatsapp-signal-imessage-phishing/