CVE-2022-28345

Name of the Vulnerable Software and Affected Versions Signal versions prior to 5.34 for iOS

Description The issue allows a remote unauthenticated attacker to send legitimate looking links, appearing to be any website URL, by abusing the non-http/non-https automatic rendering of URLs. This is achieved through RTLO injection, where an attacker can spoof, for example, example.com, and masquerade any URL with a malicious destination. An attacker requires a subdomain such as gepj, txt, fdp, or xcod, which would appear backwards as jpeg, txt, pdf, and docx respectively. The technique involves incorrectly rendering RTLO encoded URLs beginning with a non-breaking space, when there is a hash character in the URL.

Recommendations For Signal versions prior to 5.34 for iOS, update to version 5.34 or later to resolve the issue. As a temporary workaround, consider avoiding the use of URLs with non-http/non-https automatic rendering until a patch is applied. Restrict access to potentially malicious links to minimize the risk of exploitation.