Download Filename Manipulation due to improper rendering of RTLO characters
This is one of the easiest bug that I have found in a private bugbounty program.
The program had two of it’s browsers in it’s scope. I was testing for RTLO related bugs,I found that the downloads section of the browser was rendering the rtlo characters in the improper way.
RTLO characters are “Right-To-Left-Override” characters which is rendered from right to left ,unlike English which is rendered from left to right.
I made a quick POC,
<a href="Link_TO_File_With_RTLO" download>apk rendered as txt file in browser downloads click here</a>
I named a file as textfile%E2%80%AEtxt.apk, which is a apk.But when downloaded in those two browser was rendered as textfilekpa.txt due to the improper handling of RTLO characters.
IMPACT: Victim downloads a file thinking it’s text file but ends up installing malicious apk.
The bug was fixed quickly in a month and a new release was rolled out ,The private program also acknowledged me in their HOF and rewarded a small amount.
References to similar bugs:
Illegal Rendered at Download Feature in Opera Mini that Lead to Extension Manipulation (with RTLO)
The story while you download a file that looks “legitimate” with its extension, but it changes when you execute the…
HackerOne disclosed on HackerOne: Domain spoofing in redirect page...
Summary:** Hello, Domains can be spoofed on redirect page using RTLO. **Description (Include Impact):** Using…