iMessages sent with Apple’s Messages app aren’t doing all they could to protect users’ information when they preview a URL mentioned in a conversation.
Link previews are common enough. They’re those little clickable cards that appear when you a share a link in a chat on Facebook or another instant messaging (IM) platform.
In most instances, the IM service scans a shared link for relevant data, including article data and thumbnail image, and uses that information to create a preview of the URL. Only the IM service’s server exposes its IP address during that process, thereby keeping both the sender’s and the recipient’s information safe.
Unfortunately, Messages for iOS 10 and MacOS Sierra 10.12 doesn’t work like that.
Developer Ross McKillop explains how when Messages creates link previews it can share potentially sensitive information:
“iMessage makes a request from the device itself which reveals some significant information;
- The target’s IP address
- The target’s device type (iPad, iPhone, Mac)
- The OS version”
But the issue doesn’t end there. Messages makes that request from each device operated by the recipient, which enables actors to conduct some reconnaissance on their target. For instance, they can compare the IP addresses yielded from a specific target’s laptop and iPhone to determine if they are connected to the same network, information which can reveal whether the recipient is on the go or at home.
Here are the two requests McKillop obtained from his Mac laptop and iPhone:
Worse still, the request happens automatically. A recipient doesn’t need to click on a link for iMessage to make that request, something which attackers can exploit to their advantage.
As McKillop notes:
“As this request is clearly being made, and parsed, by Safari from the User-Agent string it’s reasonable to believe that there is potential that an exploit found in Safari could be triggered without the target even browsing to the site, simply by sending them an iMessage containing that URL.”
Apple hasn’t released a fix for the issue as of this writing.
But the company can patch the flaw by one of two ways. First, it can either purchase some new servers that would be responsible for querying link preview data and inserting that information into Messages. Second, it can extract information about the link from the sending device and embed that as metadata inside the message.
Let’s hope Apple issues a patch soon.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.