Unrated severityNVD Advisory· Published Apr 15, 2022· Updated Aug 3, 2024
CVE-2022-28345
CVE-2022-28345
Description
The Signal app before 5.34 for iOS allows URI spoofing via RTLO injection. It incorrectly renders RTLO encoded URLs beginning with a non-breaking space, when there is a hash character in the URL. This technique allows a remote unauthenticated attacker to send legitimate looking links, appearing to be any website URL, by abusing the non-http/non-https automatic rendering of URLs. An attacker can spoof, for example, example.com, and masquerade any URL with a malicious destination. An attacker requires a subdomain such as gepj, txt, fdp, or xcod, which would appear backwards as jpeg, txt, pdf, and docx respectively.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
References
3- blog.malwarebytes.com/social-engineering/2022/03/uri-spoofing-flaw-could-phish-whatsapp-signal-instagram-and-imessage-users/mitrex_refsource_MISC
- github.com/sickcodes/security/blob/master/advisories/SICK-2022-42.mdmitrex_refsource_MISC
- sick.codes/sick-2022-42mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.