Imagine that you receive a message on WhatsApp with a seemingly harmless link to ln.instagram.com. The surprise is that, according to researcher Itay Zukerman, There is a security flaw in WhatsApp that allows that link not to actually take you to Instagram, but to any site that an attacker chooses.
It all started when he was looking for a way to make the person receiving the message make an HTTP request, basically clicking on a link without realizing it.
Their initial idea was to take advantage of WhatsApp’s link preview feature, expecting the link to be rendered twice: once by the sender and once by the receiver. However, he discovered that only one request was made, that of the sender.
Then he realized that if the receiver didn’t show the link itself, that meant the sender was sending both the link and the preview. Here he found the first vulnerability: the link preview did not match the actual link. But this did not stop him. He manipulated the message so that the link and preview were different and to his surprise it worked.
Discover a vulnerability in WhatsApp that puts the security of the links at risk
Now, I wanted to go further. She didn’t want the real link to be displayed in the message, so she devised a way to “disguise” the link text. Remembering that some Unicode characters can change the appearance of text, he used one called U+202E, which alters the presentation of text, displaying it in reverse order. But that was not enough; the link looked horrible and no one would click on it.
So faced the second problem: how to make the link look legitimate. He created a URL that, when reversed, appeared to go to Instagram, but actually led to his own blog.
Up to this point it seems harmless, but This vulnerability could allow attackers to conduct hack attacks. phishingtricking people into clicking on links that look safe but lead to malicious sites.
As the researcher comments upon discovering this flaw, the response from WhatsApp and its parent company, Meta, has been disappointing, since they do not seem to have any intention of solving this security problem, so it is your responsibility to be aware and not fall into the trap.
