CVE-2022-28345: 
NixOS vulnerability analysis and mitigation

The Signal app before version 5.34 for iOS contains a URI spoofing vulnerability (CVE-2022-28345) discovered in March 2022. The vulnerability allows attackers to perform RTLO (right to left override) injection to create deceptive URLs. The flaw affects the way the application renders URLs that contain RTLO Unicode control characters combined with non-breaking spaces and hash characters (Malwarebytes Blog, Sick Codes).

The vulnerability occurs when the application incorrectly renders RTLO encoded URLs beginning with a non-breaking space when there is a hash character in the URL. The flaw specifically affects the non-http/non-https automatic rendering of URLs on the iOS client application for top-level domains. The issue has been assigned a CVSS v3.1 base score of 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high severity (NVD).

This vulnerability allows remote unauthenticated attackers to send legitimate-looking links that appear to be from any website URL. For example, an attacker can spoof domains like example.com and masquerade any URL with a malicious destination. The attack requires a subdomain such as gepj, txt, fdp, or xcod, which would appear backwards as jpeg, txt, pdf, and docx respectively (Sick Codes Advisory).

The vulnerability was fixed in Signal iOS client version 5.34, released around April 7-8th 2022. The patch was implemented through a code update in the Signal iOS repository. Users should update to version 5.34 or later to protect against this vulnerability (Sick Codes).