Apple iMessage flaw exposed chat history and more with a single click

A group of security researchers has found a security flaw in the Apple iMessage that exposed chat history and sensitive data with a single click.

Recently WhatsApp has introduced the end-to-end encryption to protect its users from eavesdropping, many other companies are adopting the technical improvement, but there are some circumstances that still open their customers to cyber attacks.

This is the case of the Apple Messages app, aka iMessage, the company, in fact, has now solved a security vulnerability (CVE-2016-1764) in its Messages app that exposed chat history, including photos and videos, if the user could be tricked into clicking a malicious link with a social engineering attack.

The bug in the Apple Messages app was discovered six months ago and affected both laptop and desktop computers, the company fixed the vulnerability with a software update issued on March 21.

“Messages – Available for: OS X El Capitan v10.11 to v10.11.3 

Impact: Clicking a JavaScript link can reveal sensitive user information

Description: An issue existed in the processing of JavaScript links. This issue was addressed through improved content security policy checks.

CVE-ID – CVE-2016-1764 : Matthew Bryan of the Uber Security Team (formerly of Bishop Fox), Joe DeMesy and Shubham Shah of Bishop Fox” states the security advisory issued by Apple.

Last Friday, the security experts that have found the issue disclosed more details about the vulnerability and published a proof-of-concept code.

“CVE-2016-1764, fixed by Apple in March of 2016, is an application-layer bug that leads to the remote disclosure of all message content and attachments in plaintext by exploiting the OS X Messages client. In contrast to attacking the iMessage protocol, it is a relatively simple bug. You don’t need a graduate degree in mathematics to exploit it, nor does it require advanced knowledge of memory management, shellcode, or ROP chains. All an attacker requires is a basic understanding of JavaScript.” explained the team in a blog post.

Below a video PoC published by the team.

The experts highlighted that the flaw did not affect the iMessage protocol, but it resides in the “client” software, the Apple’s iMessage. The unique versions affected by the issue are the ones that came with the El Capitan OS X, other Apple devices are not affected.

The attack is very dangerous because it could result in the theft of sensitive data and could be exploited remotely tricking users into clicking a specially crafted hyperlink arriving via instant message.

When the victim clicks on the link, a malicious JavaScript code is executed, this happens because the iMessage doesn’t implement properly the “sandboxing” mechanism. The attack not only allows the access of local data, if the target had synced their device to the iCloud, the attacker could gain access to all of their SMS text messages.

“The only user interaction required for a successful attack is a single click on a URL. Furthermore, if the victim has the ability to forward text messages from their computer (SMS forwarding) enabled, the attacker can also recover any messages sent to or from the victim’s iPhone.” states the team.

The researchers explained that the flaw resides in the iMessage implementation of the open source web-browser engine WebKit, and app’s ability of execute web scripts. Unfortunately, the Webkit feature is implemented by many other Web apps.

Apple applied a simple fix by blocking all hyperlinks containing JavaScript.

[adrotate banner=”9″]

Pierluigi Paganini 

(Security Affairs – Apple iMessage, hacking)