Download Filename Manipulation due to improper rendering of RTLO characters
This is one of the easiest bug that I have found in a private bugbounty program.
The program had two of it’s browsers in it’s scope. I was testing for RTLO related bugs,I found that the downloads section of the browser was rendering the rtlo characters in the improper way.
RTLO characters are “Right-To-Left-Override” characters which is rendered from right to left ,unlike English which is rendered from left to right.
I made a quick POC,
<a href="Link_TO_File_With_RTLO" download>apk rendered as txt file in browser downloads click here</a>
I named a file as textfile%E2%80%AEtxt.apk, which is a apk.But when downloaded in those two browser was rendered as textfilekpa.txt due to the improper handling of RTLO characters.
IMPACT: Victim downloads a file thinking it’s text file but ends up installing malicious apk.
The bug was fixed quickly in a month and a new release was rolled out ,The private program also acknowledged me in their HOF and rewarded a small amount.
References to similar bugs: