Headline
CVE-2022-35962: Crafted link in Zulip message can cause disclosure of credentials
Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. In Zulip Mobile through version 27.189, a crafted link in a message sent by an authenticated user could lead to credential disclosure if a user follows the link. A patch was released in version 27.190.
Impact
In Zulip Mobile versions up through v27.189, a crafted, malformed image link in a message sent by an authenticated user could lead to credential disclosure for a user who taps the image link.
This issue was discovered internally by the Zulip team. A complete audit on Zulip Cloud determined the vulnerability has never been exploited there.
Patches
This vulnerability is fixed in Zulip Mobile version v27.190.
Workarounds
Upgrading the Zulip server to Zulip Server 5.6 or later will prevent sending malformed links, making it impossible for this issue to be exploited. Zulip Cloud has been similarly upgraded.
References
- Blog post: https://blog.zulip.com/2022/08/24/zulip-server-5-6-security-release/
For more information
If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.