Apple Messages could be exposing your privacy when it previews a link

Fortunately, it’s not impossible for Apple to fix…

David bisson
David Bisson

Rich links privacy

iMessages sent with Apple’s Messages app aren’t doing all they could to protect users’ information when they preview a URL mentioned in a conversation.

Link previews are common enough. They’re those little clickable cards that appear when you a share a link in a chat on Facebook or another instant messaging (IM) platform.

In most instances, the IM service scans a shared link for relevant data, including article data and thumbnail image, and uses that information to create a preview of the URL. Only the IM service’s server exposes its IP address during that process, thereby keeping both the sender’s and the recipient’s information safe.

Sign up to our free newsletter.
Security news, advice, and tips.

Unfortunately, Messages for iOS 10 and MacOS Sierra 10.12 doesn’t work like that.

Developer Ross McKillop explains how when Messages creates link previews it can share potentially sensitive information:

“iMessage makes a request from the device itself which reveals some significant information;

  • The target’s IP address
  • The target’s device type (iPad, iPhone, Mac)
  • The OS version”

But the issue doesn’t end there. Messages makes that request from each device operated by the recipient, which enables actors to conduct some reconnaissance on their target. For instance, they can compare the IP addresses yielded from a specific target’s laptop and iPhone to determine if they are connected to the same network, information which can reveal whether the recipient is on the go or at home.

Here are the two requests McKillop obtained from his Mac laptop and iPhone:

Screen shot 2016 10 05 at 10.19.50 am

Worse still, the request happens automatically. A recipient doesn’t need to click on a link for iMessage to make that request, something which attackers can exploit to their advantage.

As McKillop notes:

“As this request is clearly being made, and parsed, by Safari from the User-Agent string it’s reasonable to believe that there is potential that an exploit found in Safari could be triggered without the target even browsing to the site, simply by sending them an iMessage containing that URL.”

Apple hasn’t released a fix for the issue as of this writing.

But the company can patch the flaw by one of two ways. First, it can either purchase some new servers that would be responsible for querying link preview data and inserting that information into Messages. Second, it can extract information about the link from the sending device and embed that as metadata inside the message.

Let’s hope Apple issues a patch soon.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.