14 DAY TRIAL // Apple might need to fine-tune the link preview feature the company added to iMessage in iOS 10 and macOS 10.12, released two weeks ago, in September.
According to Ross McKillop, this new feature contains an information leak bug that allows an attacker to learn an iMessage user's IP address, OS version, and device details.
Apple implemented link previews in an insecure manner
Link previews are the small content cards that appear whenever you type and share a URL in a chat window. IM services such as Facebook, Twitter, Skype, or Slack also provide this feature, which can be quite handy, offering a preview of what the link holds, without having to leave the IM app.
For the aforementioned services, whenever a user shares a link with a person he's chatting, the service scans the link, accesses the URL, retrieves the data needed for a preview (page title, page description, thumbnail image), and embeds the data inside the user's chat window, when available.
All these operations are carried out from the IM service's servers and only the server's IP address is exposed when making the request for retrieving the link preview content.
McKillop says that this is not the case for iMessage, who performs these queries from the user's device.
Flaw can be used by spammers, nation-state actors
In a very plausible attack scenario, a threat actor or a spammer can send a victim a link to a site he controls.
When the user opens iMessage to see the message, even if he never clicks the link and accesses it, iMessage would connect to the URL automatically, and retrieve the necessary preview data.
The attacker's server would collect personal details for every user the attacker sent a link via iMessage. This data is important, and exposing it might have dire consequences.
For example, a nation-state actor could learn a target's IP address, and get a general idea of the victim's geographical location, ISP provider, and even the target's real name
Further, a spammer could use the collected information to hone future attacks and send spam or spear-phishing messages in the user's local language, or fine-tuned for mobile or desktop devices, based on a user's device details exposed by iMessage.
Flaw still active. No way to turn it off
Since there's no user interaction needed to exploit this flaw, the attack is trivial and available to any threat actor at the time of this article. Additionally, iMessage has no option that allows users to turn link previews off, neither on iOS or macOS devices.
McKillop says that Apple could fix this issue in two ways. The first is to query for link preview data using its own servers and then insert the preview data inside iMessage, just like other IM services.
The second is more ingenious and doesn't require Apple to set up any additional servers. McKillop says that Apple could update iMessages, so link previews are retrieved from the sender's device, and then embedded as metadata inside the sent message. In this case, attackers would be collecting data on their own devices.
