URLs Anchor Text Spoofing

Hello friends,

In this post I would talk about how to spoof URLs visually using Unicode character Right to Left Override (U+202E).

So let's start with "What is U+202E" ?

In very simple words it's a Unicode Character that VISUALLY changes all subsequent characters from right position to the left position.

Example :

In unicode aware environment "\u202Eabcdef" would be displayed as "fedcba" but the actual string would still be "\u202Eabcdef".

Demo in Browser Console :

This trick is very old and it was being used to spoof the extension of files.

However now the same method can be applied to spoof the anchor text of the URLs as well.

In many websites like Facebook, Gmail, Instagram, WhatsApp, etc this character (U+202E) is removed from the anchor link but kept in anchor text hence we can easily spoof the anchor text there.

Let's spoof the anchor text of URL "rakeshmane.com" to "facebook.com"

Now simply copy pasting it to a Facebook post :

As you can see the character (U+202E) is not present in the anchor link but it is present in the anchor text hence anchor text got spoofed to "www.facebook.com/security#/moc.enamhsekar" but clicking on the link would redirect you to "rakeshmane.com/#ytiruces/moc.koobecaf.www"

Evil stuffs you can do with this trick :

Same flaw on Gmail:

Again you can see the unicode (U+202E) character in action.

The actual problem arises when you send a download link of a file.
Using this trick an attacker can spoof the anchor text of URLs to a legitimate website so by thinking it's a legit website URL any user will simply click on the link and the malicious file from attackers website will be directly downloaded to victim machine and victim won't even notice.

Last time when I checked,  this trick worked on Instagram and WhatsApp as well.
However it's a Won't Fix issue. So sharing it to spread awareness.


Do not trust anchor text of URLs.

References :


Post a Comment

Popular Posts