A clickjacking vulnerability in WhatsApp that enables phishing attacks

This is a pretty clever combination of feature misuse, although I think I&#x27;d rate the overall security impact fairly low, because the best-case scenario is that you cause the recipient to open a link in their browser. That can be useful in some cases, but unless the attacker is a police force, intelligence agency, or similar, there would usually need to be some kind of follow-up attack, e.g. exploiting unpatched software on the device.<p>In the interest of technical accuracy, I don&#x27;t think I&#x27;d label this one &quot;clickjacking&quot; specifically. &quot;Clickjacking&quot; usually refers to a very specific technique that involves invisible HTML frames overlaid on top of other content.[1][2]<p>[1] <a href="https:&#x2F;&#x2F;owasp.org&#x2F;www-community&#x2F;attacks&#x2F;Clickjacking" rel="nofollow noreferrer">https:&#x2F;&#x2F;owasp.org&#x2F;www-community&#x2F;attacks&#x2F;Clickjacking</a> [2] <a href="https:&#x2F;&#x2F;portswigger.net&#x2F;web-security&#x2F;clickjacking" rel="nofollow noreferrer">https:&#x2F;&#x2F;portswigger.net&#x2F;web-security&#x2F;clickjacking</a>

Everyone fixing on the UTF RTL character but Meta should have at least acknowledged the issue with the preview URL that can be different from the message URL. I understand that this is probably to unfurl shortened URLs, but there has to be some clever workaround that Meta &amp; Whatsapp can implement

Clickjacking is where you perform a click on some element, but actually the click event is caught by a different element, typically laid transparently above the thing you think you&#x27;re clicking on. The click can be detected by the attacker, despite you not getting the event, by making your visible underlying layer have focus and look for the onblur event to fire.<p>What OP found is cool. I&#x27;ve also used RTL characters to make screensaver files (so just normal executables with a different extension in Windows) that looked like Word documents, I forgot why, maybe to prank a friend or teacher or so. OP has gone one step further and found a way to alter the displaying on another system. I&#x27;m not sure what this is called, though it&#x27;s not clickjacking (the Wikipedia page OP links to in the article lede confirms that) because the user doesn&#x27;t mistake which element they&#x27;re clicking on, they mistake where a link will lead. I&#x27;ve also never seen a clickjacking being abused in practice, but what OP found I can imagine will be abused!<p>Honestly I&#x27;ve long given up on users being able to tell which domain they&#x27;ll end up on when clicking a link. A majority doesn&#x27;t understand the concept anyway, and the remainder can&#x27;t tell. Those who think they can tell (such as yours truly) end up getting frustrated when all links go to sendgrid.tld&#x2F;j3ovi3bfogobbledypoop93jnri2o. We&#x27;re training people to click random tracking obfuscated fishy looking garbage every day and nobody bats an eye at it

Nice hack. The real problem is not WhatsApp or the Unicode reverse character, though, it’s that URLs are hard.<p>Just this simple visa.securesite.com fools a lot of people. And I don’t see a good solution in the near future.

RTL has been a huge source of security vulnerabilities for its entire existence. Why don&#x27;t operating systems have a setting to disable all RTL, so that people who don&#x27;t know any such languages aren&#x27;t unnecessarily exposed to the dangers with zero benefit?

It&#x27;s disappointing that Meta chose not to fix this and chose not to reward this researcher with a bug bounty.

&gt; Exactly as I suspected, the link and the preview were sent separately!<p>This is an even bigger issue with the UI design, why should poor users compare links and previews to be safe?

I love that this is categorized as &quot;reverse engineering&quot; at the bottom of the post.

Interesting ideas and vulnerability! With a nice and concise summary. Thanks for sharing

This isn&#x27;t clickjacking. Clickjacking is when an attacker hijacks a click go actually click on something else that the user was not intending to or was aware of clicking. The existing of the RTL codepoint to make text go from right to left is an i18n feature and using it confuse people is not a novel vulnerability.

I remember this already existed on Windows Explorer 2 decades ago, it&#x27;s funny to see it &quot;rediscovered&quot;.

Very cool attack, and easy to read write up.<p>I have one basic question: It was mentioned that attacking the encryption was skipped in favor of using a debugger.<p>Was this debugger applied to the WhatsApp Web app? Or was the debugger deployed on the phone? Was it an emulator?<p>For some reason I didn&#x27;t think WhatsApp had a web app (I don&#x27;t use it).

Interesting attack and a nice write up. I see Google services are also mentioned. Are they taking any action on this unlike Meta?

Amazing article! In case the author sees this, it&#x27;d be great if the author can deep dive into how he &quot;found the right place&quot; in finding the correct breakpoint to produce the decrypted message. It seems to me that if you&#x27;re able to do this there&#x27;s a lot of interesting things one could do.

Using a unicode character to reverse order of characters and create links that have “trusted” value like: ln.instagram.com&#x2F;&#x2F;:sptth. Neat and indeed something that could be well exploited.

Preview and message are sent separately. My intuition tells me the preview is used to track user activity. I wish I could contact the author to know more about how WhatsApp tracks activity

Really interesting approach to use right to left override in that way, that&#x27;s very clever.

What&#x27;s up with the font?<p>&gt;web’ s<p>All &#x27;s have a space after them.

What’s happening with the Whatsapp osx app. It’s so bad to use nowadays, slow, buggy.