Security News Apple's iMessage Exposes User IP Address and Device Details to Spammers

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Apple might need to fine-tune the link preview feature the company added to iMessage in iOS 10 and macOS 10.12, released two weeks ago, in September.

According to Ross McKillop, this new feature contains an information leak bug that allows an attacker to learn an iMessage user's IP address, OS version, and device details.

Apple implemented link previews in an insecure manner
Link previews are the small content cards that appear whenever you type and share a URL in a chat window. IM services such as Facebook, Twitter, Skype, or Slack also provide this feature, which can be quite handy, offering a preview of what the link holds, without having to leave the IM app.

For the aforementioned services, whenever a user shares a link with a person he's chatting, the service scans the link, accesses the URL, retrieves the data needed for a preview (page title, page description, thumbnail image), and embeds the data inside the user's chat window, when available.

All these operations are carried out from the IM service's servers and only the server's IP address is exposed when making the request for retrieving the link preview content.

McKillop says that this is not the case for iMessage, who performs these queries from the user's device.

Flaw can be used by spammers, nation-state actors
In a very plausible attack scenario, a threat actor or a spammer can send a victim a link to a site he controls.

When the user opens iMessage to see the message, even if he never clicks the link and accesses it, iMessage would connect to the URL automatically, and retrieve the necessary preview data.

The attacker's server would collect personal details for every user the attacker sent a link via iMessage. This data is important, and exposing it might have dire consequences.

For example, a nation-state actor could learn a target's IP address, and get a general idea of the victim's geographical location, ISP provider, and even the target's real name

Further, a spammer could use the collected information to hone future attacks and send spam or spear-phishing messages in the user's local language, or fine-tuned for mobile or desktop devices, based on a user's device details exposed by iMessage.

Flaw still active. No way to turn it off
Since there's no user interaction needed to exploit this flaw, the attack is trivial and available to any threat actor at the time of this article. Additionally, iMessage has no option that allows users to turn link previews off, neither on iOS or macOS devices.

McKillop says that Apple could fix this issue in two ways. The first is to query for link preview data using its own servers and then insert the preview data inside iMessage, just like other IM services.

The second is more ingenious and doesn't require Apple to set up any additional servers. McKillop says that Apple could update iMessages, so link previews are retrieved from the sender's device, and then embedded as metadata inside the sent message. In this case, attackers would be collecting data on their own devices.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top