Apple has patched a major vulnerability in iMessage that allowed attackers to pull a target's message history through a bogus link. Once clicked, the link pulled data from within the iMessage application and exported it to an outside source. Apple's larger security protections prevented the attack from installing malware or pulling data from outside the iMessage application, but it still represents a significant data breach for any user tempted by clicking on the bogus link.
The attack primarily targeted the OS X version of iMessage, but could also recover messages from iPhones if the target enabled SMS forwarding. The bug was discovered by a trio of researchers — Joe DeMesy and Shubham Shah, with the help of Matt Bryant from Uber's security team — who reported it to Apple before making the details of the attack public. There's no evidence the vulnerability was exploited for criminal purposes before being patched.
The new bug comes just a few weeks after researchers at Johns Hopkins published a way to view sent photos and videos, a vulnerability that was patched with iOS 9.3. That attack worked by masquerading as an Apple server, then brute-forcing the resulting encryption until the media was decoded.
While powerful, the attack relied on relatively basic security tactics, using javascript code in place of an iMessage URL in a classic cross-scripting attack. Apple patched against the technique with the CVE-2016-1764 update last month. The company did not immediately respond to a request for comment; we will update this post with any response.
:format(webp)/cdn.vox-cdn.com/uploads/chorus_asset/file/24507136/DSCF0160_3.jpg)
:format(webp)/cdn.vox-cdn.com/uploads/chorus_asset/file/15540081/apple-imac-0043.0.0.1444692890.jpg)
:format(webp)/cdn.vox-cdn.com/uploads/chorus_asset/file/24507130/iPad_buying_guide_2023_236570.jpg)