URL Rendering Trick Enabled WhatsApp, Signal, iMessage Phishing
A rendering technique affecting the world’s leading messaging and email platforms, including Instagram, iMessage, WhatsApp, Signal, and Facebook Messenger, allowed threat actors to create legitimate-looking phishing messages for the past three years.
The vulnerabilities are rendering bugs resulting in the apps’ interface incorrectly displaying URLs with injected RTLO (right to left override)Unicode control characters, making the user vulnerable to URI spoofing attacks.
When injecting an RTLO character in a string, it causes a browser or messaging app to display the string from right-to-left rather than its normal left-to-right orientation. This character is predominantly used for the display of Arabic or Hebrew messages.
This enables phishing attacks to spoof trustworthy domains on messages sent to users on WhatsApp, iMessage, Instagram, Facebook Messenger, and Signal, making them appear as legitimate and trustworthy subdomains of apple.com or google.com.
The vulnerabilities have been assigned the following CVEs and are known to work in the following versions of IM apps:
CVE-2020-20093 – Facebook Messenger 227.0 or prior for iOS and 126.96.36.199.116 or prior on Android
CVE-2020-20094 – Instagram 106.0 or prior for iOS and 188.8.131.52 or prior on Android
CVE-2020-20095 – iMessage 14.3 or older for iOS
CVE-2020-20096 – WhatsApp 2.19.80 or prior for iOS and 2.19.222 or prior on Android
Signal doesn’t have a corresponding CVE ID because the particular attack method was disclosed to them just recently.
Discovery and PoC
The CVE IDs are so old because the initial discovery of the vulnerabilities took place in August 2019 by a researcher named ‘zadewg.’
Sick.Codes reached out to the researcher to ask if he had just made his repository public or not, and the researcher responded with surprise about the CVEs being released now, after all that time.
The researcher was reluctant to share more information about the method of exploiting the flaws, which had been demonstrated only on video, so Sick.Codes decided to replicate the exploit on his own and write a proof of concept (PoC) for it.
The two security researchers agreed on the immediate release of the PoC on GitHub since the vulnerabilities may have been under active exploitation for a long time now.
The exploit is a one-liner abusing iOS and Android’s trust of gTLDs and support for displaying bi-directional text and is as simple as adding a single control character ‘\u202E’ between two valid URLs.
For example, the released PoC abuses google.com for the masqueraded and clickable URL and sets bit.ly/3ixIRwm as the destination.
After the injected RTLO control character, the URL gets reversed due to treating it as a “right-to-left” language (Arabic, Hebrew, etc.), so the threat actor has to consider when registering the destination domain.
For example, using a crafted ‘gepj.xyz’ URL would appear as the innocuous JPEG image file ‘zyx.jpeg’, while crafting “kpa.li” would appear as an APK file ‘li.apk’, etc.
In reality, these destinations could host anything, so the spoofing is highly elusive and tricky to spot.
However, BleepingComputer noticed some peculiarities when testing this bug in iMessage, Signal, and even Gmail. For example, while the combined URLs may appear as a single URL, they are actually treated as two URLs.
This means that if a user clicks on the left side of the URL, they will go to Google.com, and if they click on the right side, they will go to BleepingComputer.com.
Even stranger, while iMessage on iOS 15 shows the text in reverse in message list preview screen, it removes the reverse string in the actual message.
Other tests conducted by BleepingComputer show that this rendering flaw does not work as expected in Gmail, Outlook.com, or ProtonMail.
While the URL is displayed as a single string with the reverse text, the RTLO Unicode character in the hyperlink is converted to its hexadecimal equivalent, leaving an URL like:
Impact and fixes
The one-liner PoC is publicly available and straightforward to use even by people with poor technical understanding or no hacking skills.
The same attack is likely applicable to many more IM and email apps, but only those mentioned above have been confirmed as vulnerable.
Telegram used to be vulnerable too, but it was the first to address the problem via a security update.
Also, Signal’s development team has responded to Sick.Codes’ report immediately and told the researcher a fix is coming in the next release of the app.
Sick.Codes told BleepingComputer that the messaging apps listed above are still vulnerable to this rendering method.
NIST is currently investigating the scope and the impact of the vulnerabilities, so if they had been fixed in past versions, it will be determined by the organization soon.
As such, users of the mentioned apps should be cautious when receiving messages containing URLs, always click on the left side, and remain on alert for incoming app security updates that may address the issue.
Sick.Codes said the rendering method is still functional in all of the tested apps, and suggests users of all IM apps is the following:
“Turn off link previews in everything, especially mail apps and anything related to notifications. Don’t visit weird websites with popups. Don’t click random prize giveaways.
You already have a phone, so use your bookmarks and make sure to keep it up to date. Given the amount of zero-days flying around, especially those disclosed recently for iOS, it would be perilous to trust URLs in IMs.”
As RTLO Unicode characters have a legitimate use, it is not clear if the messaging apps will fix this as it may break legitimate functionality.
Bleeping Computer has contacted the vendors of the affected applications to learn when this will be fixed, and we will update this post as soon as we receive a response.