A set of flaws affecting the world’s leading messaging and email platforms, including Instagram, iMessage, WhatsApp, Signal, and Facebook Messenger, has allowed threat actors to create legitimate-looking phishing URLs for the past three years.
While this vulnerability is particularly insidious due to its simplicity, it\’s not the first URL rendering issue to affect mobile devices. Between mobile browsers not showing full URLs in address bars, abuse of URL shorteners and hosting malicious content on trusted domains, mobile browsing is fraught with peril.
It\’s important to remember that just because apps tout \”end to end encryption\” and other privacy protection features, that does not mean that any content sent via the apps is automatically secure. At minimum, users should treat any unexpected messages from unknown senders with great suspicion. But really any links received over messaging apps can be problematic. Disabling \”link previews\” within the apps themselves also helps to limit exposure.
Another option to try and limit collateral damage is to use multiple browser applications on your mobile device. Set the default browser, the app that will open tapped links, to something not used for day to day \”manual\” browsing, so cookies and other sensitive information are not readily exposed.
While this vulnerability is particularly insidious due to its simplicity, it\’s not the first URL rendering issue to affect mobile devices. Between mobile browsers not showing full URLs in address bars, abuse of URL shorteners and hosting malicious content on trusted domains, mobile browsing is fraught with peril.
It\’s important to remember that just because apps tout \”end to end encryption\” and other privacy protection features, that does not mean that any content sent via the apps is automatically secure. At minimum, users should treat any unexpected messages from unknown senders with great suspicion. But really any links received over messaging apps can be problematic. Disabling \”link previews\” within the apps themselves also helps to limit exposure.
Another option to try and limit collateral damage is to use multiple browser applications on your mobile device. Set the default browser, the app that will open tapped links, to something not used for day to day \”manual\” browsing, so cookies and other sensitive information are not readily exposed.