URL Rendering Trick Enabled WhatsApp, Signal, iMessage Phishing

A set of flaws affecting the world’s leading messaging and email platforms, including Instagram, iMessage, WhatsApp, Signal, and Facebook Messenger, has allowed threat actors to create legitimate-looking phishing URLs for the past three years.

Experts Comments

March 28, 2022
Daniel Schwalbe
CISO
DomainTools

While this vulnerability is particularly insidious due to its simplicity, it's not the first URL rendering issue to affect mobile devices. Between mobile browsers not showing full URLs in address bars, abuse of URL shorteners and hosting malicious content on trusted domains, mobile browsing is fraught with peril.

It's important to remember that just because apps tout "end to end encryption" and other privacy protection features, that does not mean that any content sent via the apps is

.....Read More

While this vulnerability is particularly insidious due to its simplicity, it's not the first URL rendering issue to affect mobile devices. Between mobile browsers not showing full URLs in address bars, abuse of URL shorteners and hosting malicious content on trusted domains, mobile browsing is fraught with peril.

It's important to remember that just because apps tout "end to end encryption" and other privacy protection features, that does not mean that any content sent via the apps is automatically secure. At minimum, users should treat any unexpected messages from unknown senders with great suspicion. But really any links received over messaging apps can be problematic. Disabling "link previews" within the apps themselves also helps to limit exposure.

Another option to try and limit collateral damage is to use multiple browser applications on your mobile device. Set the default browser, the app that will open tapped links, to something not used for day to day "manual" browsing, so cookies and other sensitive information are not readily exposed.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.