Hackers Abuse RTL/LTR Text Tricks and Browser Flaws to Mask Malicious Links

Cybersecurity researchers at Varonis Threat Labs have uncovered a persistent vulnerability that has remained unaddressed for over a decade, allowing attackers to exploit browser handling of Right-to-Left (RTL) and Left-to-Right (LTR) text scripts to create deceptive URLs.

This technique, known as BiDi Swap, enables threat actors to craft malicious links that appear legitimate to unsuspecting users, making it an effective tool for phishing campaigns.

Infographic showing different types of spoofing attacks including website, email, IP, GPS, and man-in-the-middle spoofing

Understanding the BiDi Swap Attack Method

The BiDi Swap technique exploits weaknesses in how browsers implement the Bidirectional Algorithm, part of the Unicode Standard designed to display mixed LTR and RTL scripts properly.

While this algorithm generally handles domain names correctly, it struggles with subdomains and URL parameters containing mixed text directions.

Attackers leverage this limitation to create URLs where the displayed text doesn’t match the actual destination, effectively masking ...