A group of security researchers has found a security flaw in the Apple iMessage that exposed chat history and sensitive data with a single click. Recently WhatsApp has introduced the end-to-end encryption to protect its users from eavesdropping, many other companies are adopting the technical improvement, but there are some circumstances that still open their customers to cyber attacks.
This is the case of the Apple Messages app, aka iMessage, the company, in fact, has now solved a security vulnerability (CVE-2016-1764) in its Messages app that exposed chat history, including photos and videos, if the user could be tricked into clicking a malicious link with a social engineering attack.
The bug in the Apple Messages app was discovered six months ago and affected both laptop and desktop computers, the company fixed the vulnerability with a software update issued on March 21.
“Messages – Available for: OS X El Capitan v10.11 to v10.11.3
CVE-ID – CVE-2016-1764 : Matthew Bryan of the Uber Security Team (formerly of Bishop Fox), Joe DeMesy and Shubham Shah of Bishop Fox” states the security advisory issued by Apple.
Last Friday, the security experts that have found the issue disclosed more details about the vulnerability and published a proof-of-concept code.
Below a video PoC published by the team.
The experts highlighted that the flaw did not affect the iMessage protocol, but it resides in the “client” software, the Apple’s iMessage. The unique versions affected by the issue are the ones that came with the El Capitan OS X, other Apple devices are not affected.
The attack is very dangerous because it could result in the theft of sensitive data and could be exploited remotely tricking users into clicking a specially crafted hyperlink arriving via instant message.
“The only user interaction required for a successful attack is a single click on a URL. Furthermore, if the victim has the ability to forward text messages from their computer (SMS forwarding) enabled, the attacker can also recover any messages sent to or from the victim’s iPhone.” states the team.
The researchers explained that the flaw resides in the iMessage implementation of the open source web-browser engine WebKit, and app’s ability of execute web scripts. Unfortunately, the Webkit feature is implemented by many other Web apps.