Patch Date
March 21, 2016
Reported Date
February 2016
Vendor
Apple
Systems Affected
Messages (iMessage) on OS X <= 9.1
Summary
Messages (iMessage) for OS X, a popular messaging platform from Apple, implements much of its user interface via an embedded version of WebKit. iMessage will also render any URI as a clickable HTML <a href= link. An attacker can create a simple JavaScript URI (e.g., javascript:) that, when clicked, allows the attacker’s code to gain initial execution (cross-site scripting) in the context of the application DOM. Though the embedded WebKit library used by Messages for OS X executes in an ‘applewebdata://’ origin, an attacker can still read arbitrary files via ‘XMLHttpRequest’ (XHR) GET requests to a `file://`URI since there is no same-origin policy implemented. By abusing XHR, an attacker can read and subsequently upload a victim’s entire chat history and attachments to a remote server. The only user interaction required is clicking on a link. Furthermore, if the victim has text messages forwarded to their computer (SMS forwarding), the attacker can also recover any messages sent to or from the victim’s iPhone.
Vendor Status
The OS X El Capitan v10.11.4 and Security Update 2016-002 fixed this issue as of March 21, 2016. The CVE for this vulnerability is CVE-2016-1764.
Exploit Details
Our accompanying blog post has a detailed write-up of how this vulnerability was exploited.
Researchers
- Shubham Shah of Bishop Fox
- Joe DeMesy of Bishop Fox
- Matthew Bryant of the Uber Security Team (formerly of Bishop Fox)
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
