{"id":18636,"date":"2022-03-31T08:10:06","date_gmt":"2022-03-31T16:10:06","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/03\/31\/news-12369\/"},"modified":"2022-03-31T08:10:06","modified_gmt":"2022-03-31T16:10:06","slug":"news-12369","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/03\/31\/news-12369\/","title":{"rendered":"URI spoofing flaw could phish WhatsApp, Signal, Instagram, and iMessage users"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Thu, 31 Mar 2022 15:40:38 +0000<\/strong><\/p>\n

There’s a flaw in the way many of the world’s most popular messaging and email platforms\u2014such as Facebook Messenger, Instagram, iMessage, Signal, and WhatsApp\u2014render URIs (Uniform Resource Identifiers<\/a>). That flaw makes it possible for phishing attempts to bypass filters and escape the trained eye, and results in apps incorrectly displaying URLs.<\/p>\n

The flaw can be exploited when an attacker inserts an RTLO (right to left override<\/a>) Unicode control character, which is used to display Arabic or Hebrew messages, in a string. Because messages written in these two languages are read from right to left, once the browser or messaging application sees the RTLO character, it displays every character after it right-to-left.<\/p>\n

Two security researcher, zadewg<\/a> and sick.codes<\/a>, demonstrated this rendering flaw in a GitHub post you can see here<\/a>.<\/p>\n

\n

“When a message contains a valid URL, it is highlighted and marked as hyperlink. However, this is printed to screen before sanitizing Unicode Control Characters, which results in URI spoofing via specially crafted messages.”<\/p>\n<\/blockquote>\n

\n
\"\"
A demo showcasing the URI rendering flaw on Instagram. (Source: zadewg’s GitHub page)<\/figcaption><\/figure>\n<\/div>\n

The two researchers used Google’s browser URL in a test case involving Instagram. In this case, they took https:\/\/google.com\/<\/code> and combined it with the shortened URL, bit.ly\/2Max1Kz#<\/code>. They then inserted an RTLO Unicode character after the “\/” of Google’s URL and before bit.ly<\/code>. Once this is sent to someone, it will look like the URL you see on the GIF above:<\/p>\n

https:\/\/google.com\/#zK1xaM2\/yl.tib<\/code><\/p>\n

Notice that the bit.ly<\/code> bit of the URL is flipped from the left-to-right orientation to the right-to-left orientation.<\/p>\n

It’s simple to do, but what are the implications of this trick?<\/p>\n

For one thing, it’s a tactic that attackers can use to fool potential victims by making them think what they received is legitimate. Attackers can piggyback on legitimate domains as well, such as in this demo where the domain is legitimately Google.<\/p>\n

Abusing the RTL has been done many times in the past, but it usually involves filenames and not URLs. Several malware authors, such as those behind Bredolab, Mahdi, and SpyEye, are known to abuse the RTLO to hide malicious file names by disguising them as Word files or PDFs in spam attachments. <\/p>\n

Malware Intelligence Researcher Pieter Arntz and Senior Security Researcher Jean Taggert have shown how the disguising could be done here<\/a> and here<\/a>, respectively. Sirefef, a Trojan known for its stealth, used RTLO when injecting malicious entries<\/a> into the affected systems’ registry. And just last month, researchers from Vade Secure unearthed a phishing campaign<\/a> that targeted Microsoft 365 users by disguising its spam attachment as a “voice message” when it was actually the phishing page in HTML format.<\/p>\n

As there are a handful of applications affected by this flaw, each one has been assigned a CVE number to track:<\/p>\n