Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

If You Can't Break Crypto, Break the Client

CVE-2016-1764, fixed by Apple in March of 2016, is an application-layer bug that leads to the remote disclosure of all message content and attachments in plaintext by exploiting the OS X Messages client.

In this video, our researchers demonstrate how to exploit the OS X Messages client when an unknowing victim clicks a link in a message.


In this video we will be demonstrating how an attacker can steal the messages and attachments of a victim through the messages for OSX application. The first step of the exploitation process requires the attacker to send a message containing a malicious JavaScript link to the victim. When this message is received by the victim, a notification is shown as seen in the video. When the victim opens the message, the JavaScript URI is highlighted. As soon as the victim clicks the link, the malicious payload sent by the attacker is executed on the victim's machine from the attacker's view. As soon as the victim has clicked on the malicious link, the victim's messages and attachments are uploaded to the attackers server as seen in the video. The attacker now has the attachments and the messages database of the victim.

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.