Download Filename Manipulation due to improper rendering of RTLO characters

This is one of the easiest bug that I have found in a private bugbounty program.

The program had two of it’s browsers in it’s scope. I was testing for RTLO related bugs,I found that the downloads section of the browser was rendering the rtlo characters in the improper way.

RTLO characters are “Right-To-Left-Override” characters which is rendered from right to left ,unlike English which is rendered from left to right.

I made a quick POC,

<html>
<head><title></title></head>
<body>
<a href="Link_TO_File_With_RTLO" download>apk rendered as txt file in browser downloads click here</a>
</body>
</html>

I named a file as textfile%E2%80%AEtxt.apk, which is a apk.But when downloaded in those two browser was rendered as textfilekpa.txt due to the improper handling of RTLO characters.

IMPACT: Victim downloads a file thinking it’s text file but ends up installing malicious apk.

The bug was fixed quickly in a month and a new release was rolled out ,The private program also acknowledged me in their HOF and rewarded a small amount.

References to similar bugs: