A trick has been known for years that cybercriminals can use to abuse popular messenger services such as WhatsApp, Signal, or iMessage for phishing purposes. The people behind it can use URLs that look legitimate, for example from apple.com or google.com. This comes from a report by Bleeping Computer Online Magazine. Some of the underlying vulnerabilities have been known since 2019 and put users of the most popular messaging and email platforms such as Instagram, iMessage, WhatsApp, Signal, and Facebook Messenger at risk.
Things are getting fresher now that a proof of concept has emerged. Infographic WhatsApp, Instagram & Co: How young people prefer to communicate The vulnerabilities are rendering errors that cause the app’s UI to incorrectly display URLs with RTLO (right to left override) Unicode controls inserted, leaving the user vulnerable to URI spoofing attacks. The display bug allows threat actors to create legitimate-looking phishing messages and use them to mass-find victims.
Apparently trusted domains
When an RTLO character is inserted into a string, it causes a browser or messaging app to display the string from right to left instead of its normal left-to-right orientation. This character is mainly used to indicate Arabic or Hebrew messages. In this way, trusted domains for phishing attacks can be faked in messages and make them appear as legitimate and trusted subdomains of apple.com or google.com. The following CVEs have been assigned to the vulnerabilities and are known to work in the following versions of IM applications:
- CVE-2020-20093 – Facebook Messenger 227.0 or earlier on iOS and 22.214.171.124.116 or earlier on Android
- CVE-2020-20094 – Instagram 106.0 or earlier for iOS and 126.96.36.199 or earlier on Android
- CVE-2020-20095 – iMessage 14.3 or earlier for iOS
- CVE-2020-20096 – WhatsApp 2.19.80 or earlier on iOS and 2.19.222 or earlier on Android
A proof of concept was recently published on Github. The vulnerabilities may have been actively exploited for a long time.
Phishing, malware, spoofing
After the injected RTLO control character, the URL is inverted as it is treated as a “right to left” language (Arabic, Hebrew, etc.), which the threat actor then only needs to match with its target domain to successfully hide. For example, a fake URL “gepj.xyz” would appear as a harmless JPEG image file “zyx.jpeg”, while a fake URL “kpa.li” would appear as an APK file “li.apk”, etc. behind the URLs a lot can then be hidden, making the spoofing very difficult to detect.
Brian is the news author at Research Snipers which mainly covers Technology News, Microsoft News, Google News, Facebook, Apple, Huawei, Xiaomi, and other tech news.