Skip to content

zadewg/RIUS

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 

RIUS - RTLO Injection URI Spoofing CVE-2020-20093; 20094; 20095; 20096, 2022-28345

CWE-451: User Interface Misrepresentation of Critical Information.

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

When a message contains a valid URL, it is highlighted and marked as hyperlink. However, this is printed to screen before sanitizing Unicode Control Characters, which results in URI spoofing via specially crafted messages.

 

Affects all recent distributions of iOS iMessage, WhatsApp, Instagram, and Facebook Messenger as of 2019.8.15

Patched in Signal iOS 5.34 release: commit

Patched in Telegram in 2019


WhatsApp Instagram DM
POCW POCI

mapez - telegram

About

RTLO Injection URI Spoofing

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published