Tune into our first episode of Tool Talk: a how-to series for hackers. REGISTER ›

OS X Messages (iMessage): XSS & File Disclosure

High-Risk Security Vulnerability found by Bishop Fox Research Team

Share

Patch Date

March 21, 2016

Reported Date

February 2016

Vendor

Apple

Systems Affected

Messages (iMessage) on OS X <= 9.1

Summary

Messages (iMessage) for OS X, a popular messaging platform from Apple, implements much of its user interface via an embedded version of WebKit. iMessage will also render any URI as a clickable HTML <a href= link. An attacker can create a simple JavaScript URI (e.g., javascript:) that, when clicked, allows the attacker’s code to gain initial execution (cross-site scripting) in the context of the application DOM. Though the embedded WebKit library used by Messages for OS X executes in an ‘applewebdata://’ origin, an attacker can still read arbitrary files via ‘XMLHttpRequest’ (XHR) GET requests to a `file://`URI since there is no same-origin policy implemented. By abusing XHR, an attacker can read and subsequently upload a victim’s entire chat history and attachments to a remote server. The only user interaction required is clicking on a link. Furthermore, if the victim has text messages forwarded to their computer (SMS forwarding), the attacker can also recover any messages sent to or from the victim’s iPhone.

Vendor Status

The OS X El Capitan v10.11.4 and Security Update 2016-002 fixed this issue as of March 21, 2016. The CVE for this vulnerability is CVE-2016-1764.

Exploit Details

Our accompanying blog post has a detailed write-up of how this vulnerability was exploited.

Researchers


Default fox headshot blue

About the author, Joe DeMesy, Shubham Shah, and Matthew Bryant

Joe DeMesy, Shubham Shah, and Matthew Bryant collaborated on security research into popular messaging platforms, most notably Apple iMessage, in 2016.

More by Joe

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.