URL Spoofing Using RTLO in Messaging Apps

Jan 23, 2023

A previous article indicated a URL spoofing vulnerability in Slack using link syntax. Subsequently, a URL spoofing vulnerability using a right-to-left override (RTLO or RLO) character was found in many popular messaging apps. This article explains how URL spoofing operates using RTLO. Moreover, it indicates the vulnerability found in a Japanese messaging app and corresponding mitigation measures.

Summary

URL spoofing using RTLO is a vulnerability that enables visual spoofing by reversing the display order of URL strings. In other words, it can display the URL of an illegitimate website as that of a legitimate one; thus, attackers can direct victims to illegitimate websites. Therefore, it can be exploited for phishing scams and malware distribution. Vulnerability was also found in +Message, a messaging app co-developed by Japanese mobile network operators. The developers mitigated this by displaying a warning dialog before accessing an illegitimate website.

Spoofing Mechanism

RTLO is a Unicode control character (U+202E) that supports languages using right-to-left text^¹. As in this article, English text is written from left to right. In contrast, some languages, such as Arabic and Hebrew, are written from right to left. Using RTLO within a left-to-right text reverses a string from right to left. That is, the string \u202EHello, World! is displayed as !dlroW ,olleH.

This characteristic of RTLO has the potential to be exploited for visual spoofing^². For example, the filename mal\u202Efdp.exe is displayed as malexe.pdf, thus enabling attackers to spoof file extensions^³. In the real world, attackers direct victims to malware and phishing webpages by attaching files with spoofed extensions to emails and messages^{⁴ ⁵}. Additionally, the spoofability of source code has been demonstrated^{⁶ ⁷}.

URL Spoofing

Generally, URLs remain left-to-right, even within the right-to-left text. The URL Standard defines that browsers should render URLs containing bidirectional (mixtures of left-to-right and right-to-left) text as left-to-right^⁸. This definition seems to be accepted by many users of right-to-left languages^⁹. For example, the URL in Arabic Wikipedia is written from left to right as follows^¹⁰.

محدد موقع الموارد المُوحّد (بالإنجليزية: Uniform Resource Locator اختصاراً URL) ويعد جزء من معرف الموارد الموحد وبواسطته يتم تحديد مواقع الانترنت. وهو ذلك العنوان الذي تكتبه في شريط العنوان للذهاب إلى مواقع الإنترنت ويسبقه تحديد البروتوكول مثال //:http أو البروتوكول //:ftp وعلى سبيل المثال عنوان هذه الصفحة هو http://ar.wikipedia.org يضم العنوان بالترتيب:

However, the globally popular messaging apps were rendering URLs containing RTLO as links with reversed strings^{¹¹ ¹²}. That is, the URL string \u202Ehttps://evil.akaki.io/#moc.elgoog was displayed as the following link, which links to evil.akaki.io, not google.com.

https://evil.akaki.io/#moc.elgoog

Thus, URLs can be visually spoofed by reversing the display order of the strings. Therefore, attackers can direct victims who are accustomed to a left-to-right language to phishing websites and malware distributors. If messages are displayed on the left side owing to the Bubble UI, the victims will misread the following spoofed URLs.

https://evil.akaki.io/#moc.elgoog

Vulnerability in +Message

As with many messaging apps, the URL spoofing vulnerability (CVE-2022-43543) caused by RTLO was found in +Message^¹³. +Message is a messaging app for iOS and Android that provides SMS and RCS, which was co-developed by Japanese mobile network operators^¹⁴. Figure 1 shows the URL spoofing vulnerability in +Message. In the figure, the attacker uses macOS (left) and Android (center), whereas the victim uses iOS (right). The attacker copies the URL string containing the RTLO using pbcopy and then pastes it into the Android device via scrcpy. On tapping the link received from the attacker, the victim is directed to evil.akaki.io, not google.com.

Figure 1: Demonstration of URL spoofing in +Message.

Mitigation Measures

Developers should consider implementing some mitigation measures against URL spoofing using RTLO. The URL Standard advises to only render a URL's host when a URL contains bidirectional text^⁸. Furthermore, the specifications of the Internationalized Resource Identifier (IRI), which extends the character set of URLs, specify that IRIs must not contain bidirectional formatting characters when they are displayed^¹⁵. Therefore, a process is required to avoid visual spoofing before rendering the URL string as a link.

Alternatively, a process to verify a URL before accessing a resource can mitigate risk. The developers of +Message implemented a mitigation measure that warns of risk through a dialog before accessing a spoofed URL. Figure 2 illustrates the warning dialog that appears in the mitigated app. The URL in the message is reversed, whereas the URL in the dialog is not. Therefore, users can detect spoofing before they are directed to illegitimate websites.

Figure 2: Warning dialog against a spoofed URL.

Conclusion and Future Work

URLs containing RTLO may be rendered as links that are misread by users accustomed to left-to-right language. Thus, developers should avoid rendering such links or warn users about them. Owing to previous research, globally popular messaging apps have already mitigated the risk of URL spoofing; however, apps only used in some countries may still be vulnerable. Therefore, further research is required to focus on such apps. Not limited to URL spoofing, RTLO has the potential to be exploited for social engineering using spoofed usernames and bypassing posting restrictions using spoofed words and sentences. We should recognize the existence of such spoofabilities.

^¹ UNICODE BIDIRECTIONAL ALGORITHM - Unicode Standard Annex #9
^² UNICODE SECURITY CONSIDERATIONS - Unicode Technical Report #36
^³ Masquerading: Right-to-Left Override, Sub-technique T1036.002 - MITRE ATT&CK
^⁴ Zero-day vulnerability in Telegram - SECURELIST by Kaspersky
^⁵ How Hackers Are Using a 20-Year-Old Text Trick to Phish Microsoft 365 Users - Vade
^⁶ Ethereum Smart Contracts Exploitation Using Right-To-Left-Override Character - Skylight Cyber
^⁷ Trojan Source: Invisible Vulnerabilities - arXiv
^⁸ 4.8.3. Internationalization and special characters - URL Living Standard
^⁹ 1.4.1 Overall Presentation in a Bidirectional Language - IRIStatus - W3C
^¹⁰ محدد موقع الموارد الموحد - ويكيبيديا
^¹¹ Exploit: RTLO Injection URI Spoofing: WhatsApp, iMessage (Messages app), Instagram, Facebook Messenger - Sick.Codes
^¹² Signal client for iOS version 5.33.2 and below are vulnerable to RTLO Injection URI Spoofing - Sick.Codes
^¹³ JVN#43561812: +Message App improper handling of Unicode control characters - JVN
^¹⁴ RCS Business Messaging in Japan - GSMA
^¹⁵ 4.1. Logical Storage and Visual Presentation - RFC 3987: Internationalized Resource Identifiers (IRIs)