CVE-2020-20093

MEDIUM

Facebook Messenger <227.0-228.1.0.10.116 - CSRF

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-20093. PoCs published by zadewg.

AI-analyzed exploit summary This PoC demonstrates RTLO (Right-to-Left Override) injection URI spoofing affecting multiple messaging apps (WhatsApp, iMessage, Instagram, Facebook Messenger, Signal). The exploit generates deceptive URLs that appear legitimate but redirect to attacker-controlled domains.

Description

The Facebook Messenger app for iOS 227.0 and prior and Android 228.1.0.10.116 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages.

Exploits (1)

nomisec WORKING POC 89 stars

by zadewg · poc

https://github.com/zadewg/RIUS

View Code ZIP pw:eip

This PoC demonstrates RTLO (Right-to-Left Override) injection URI spoofing affecting multiple messaging apps (WhatsApp, iMessage, Instagram, Facebook Messenger, Signal). The exploit generates deceptive URLs that appear legitimate but redirect to attacker-controlled domains.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: WhatsApp (iOS/Android), Instagram (iOS/Android), iMessage (iOS), Facebook Messenger (iOS/Android), Signal

No auth needed

Prerequisites: None

MITRE ATT&CK

T1036 - Masquerading

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/zadewg/RIUS

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/166448/RTLO-Injection-URI-Spoofing.html

Scores

CVSS v3 6.5

EPSS 0.0231

EPSS Percentile 81.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

Status published

Products (2)

facebook/messenger < 227.0

facebook/messenger < 228.1.0.10.116

Published Mar 23, 2022

Tracked Since Feb 18, 2026