An intricate URL rendering trick has finally been exposed as the cause behind worldwide phishing for a number of leading messaging and email platforms.
Common platforms included Whatsapp, Instagram, iMessage, Facebook Messenger, and Signal.
These all reportedly allowed a series of threat actors to create real-appearing ‘phishing’ texts over a span of three years.
These are names given to Unicode Control Characters that make all users more vulnerable to spoofing attacks by URI.
Furthermore, it was proven that the addition of RTLO characters in the string results in a browser displaying the results in a right to left orientation, which is commonly seen in Hebrew or Arabic dialect.
A number of these vulnerabilities are assigned a CVE that works on a wide range of versions for IM apps. Thankfully, Signal doesn’t have any CVE as the exact attack method was recently shown to them.
And while these CVEs may appear as legitimate subdomains of google or apple, that is far from the truth.
Now, more and more awareness is being created on the matter thanks to freelance researchers who are keenly interested in how the mechanism works and how the world can prevent being targeted.
But tech experts believe that the spoofing techniques used are not only tricky to identify but they’re also very elusive in nature.
For instance, when combined URLs are made to appear as a single entity, they’re actually deemed to be two separate URLs. And if one user makes a click on the URL present on the left, they are directed to one website, while the one clicked on the right will send you to another site.
Research showed how the rendering flaw doesn't work as well as that observed on email platforms like Outlook.com, ProtonMail, or Gmail. But many can expect the same attack on other IM or Email apps.
This is why users of the following apps mentioned above need to be extremely cautious when they get messages with URLs. Another good practice is to always click on the left and be vigilant of software security updates that may highlight the issue.
Illustration: Freepik.com
H/T: BC.
Common platforms included Whatsapp, Instagram, iMessage, Facebook Messenger, and Signal.
These all reportedly allowed a series of threat actors to create real-appearing ‘phishing’ texts over a span of three years.
The vulnerable threat of rendering bugs is very real
Experts believe the shocking discovery has come at a time when it was most needed. Moreover, they believe these rendering bugs create a vulnerability in the application’s interface by displaying incorrect URLs with the injection of right to left override (RTLO).These are names given to Unicode Control Characters that make all users more vulnerable to spoofing attacks by URI.
Furthermore, it was proven that the addition of RTLO characters in the string results in a browser displaying the results in a right to left orientation, which is commonly seen in Hebrew or Arabic dialect.
Who is under threat?
Most users are top targets as the end result is gaining entry into phishing attacks by spoofing a number of trustworthy domains. These are usually present on messages sent through apps like Facebook Messenger, WhatsApp, Instagram, and iMessage too.A number of these vulnerabilities are assigned a CVE that works on a wide range of versions for IM apps. Thankfully, Signal doesn’t have any CVE as the exact attack method was recently shown to them.
And while these CVEs may appear as legitimate subdomains of google or apple, that is far from the truth.
The flaws of the CVE Program in focus
It’s no surprise that CVE IDs aren’t something new. Their initial discovery actually took place in the year 2019 by a researcher who went by the name ‘Zadewg’.Now, more and more awareness is being created on the matter thanks to freelance researchers who are keenly interested in how the mechanism works and how the world can prevent being targeted.
But tech experts believe that the spoofing techniques used are not only tricky to identify but they’re also very elusive in nature.
For instance, when combined URLs are made to appear as a single entity, they’re actually deemed to be two separate URLs. And if one user makes a click on the URL present on the left, they are directed to one website, while the one clicked on the right will send you to another site.
Research showed how the rendering flaw doesn't work as well as that observed on email platforms like Outlook.com, ProtonMail, or Gmail. But many can expect the same attack on other IM or Email apps.
This is why users of the following apps mentioned above need to be extremely cautious when they get messages with URLs. Another good practice is to always click on the left and be vigilant of software security updates that may highlight the issue.
H/T: BC.
