Dangerous URL trick threatens WhatsApp, iMessage and Signal users
Phishing websites aim for your login or payment data and can often only be distinguished from the real page by small details. One of them is the URL. A vulnerability now allows criminals to manipulate them. Using a so-called Unicode control character, WhatsApp, iMessage and Signal display manipulated URLs as if they were correct. The vulnerability lies in the fact that the apps mentioned do not block the control characters. This increases the risk of falling into the phishing trap immensely.
The best antivirus
test winner
Bitdefender
Details about the test
Per
Very good antivirus
Great extras
against
Incomprehensible menus
Some incomprehensible messages
NortonLifeLock
Details about the test
Per
Best Virus Protection
Most understandable menus and messages
against
Weak protection without internet
Important extras are missing
Avast
Details about the test
Per
Good virus protection
Best in the practical test
against
Important extras are missing
Illogical menus
Avira
Details about the test
against
Important extras are missing
Bad in the practical test
GData
Details about the test
Per
Hardly any false alarms
Good protection without internet
against
Important extras are missing
No VPN
test grade
2.5
satisfactory
Kaspersky
Details about the test
Per
Best protective equipment
Little hunger for resources
against
No theft protection
Complicated program structure
test grade
3.1
satisfactory
Microsoft
Details about the test
against
Poor protection without internet
Important extras are missing
eset
Details about the test
Per
Low resource consumption
against
Worse virus protection than pre-installed Windows Defender
Complete list: The best antivirus
Vulnerabilities make phishing more dangerous
The problem lies in the “right-to-left-override” control character in Unicode, which is used, for example, to represent Arabic script that is read from right to left. If criminals insert the Unicode character “u202E” between two URLs, they disguise the actual Internet address and the recipient of the message only sees what the sender wants. For example, the app turns “www.boese-url.comu202Eed.nozama.www” into the address “www.amazon.de”, which still links to “www.boese-url.com”. This trick can then be used in the example to create a fake Amazon page that is indistinguishable from the real one for those who visit it. Some of the security gaps behind this have been known since 2019. However, this was only theory so far – now there is a “proof of concept”, i.e. a working example that proves the gap. The manufacturers of WhatsApp, iMessage and Signal have been informed. The following programs and versions are affected:
Signal in the current version
Facebook Messenger 227.0 or earlier on iOS and 228.1.0.10.116 or earlier on Android
Instagram 106.0 or earlier for iOS and 107.0.0.11 or earlier on Android
iMessage 14.3 or earlier for iOS
WhatsApp 2.19.80 or earlier for iOS and 2.19.222 or earlier on Android
URL trick: How to protect yourself
To avoid falling into the trap, install the latest versions of messengers. Signal was only recently informed about the vulnerability, so there is no patch there yet. However, the developers reacted immediately and announced this for the next version. You can also play it safe with an up-to-date virus protection app. These check real URLs before opening them and warn you about scam sites.