IN THE MIDDLE of intense public debate over whether Apple should be forced to help the government decrypt iPhones for criminal investigations, the company quietly closed a six-month-old security vulnerability in its Messages app. Newly published details reveal just how severe that vulnerability was, allowing the exfiltration of chat history, including photos and videos, if the user could be tricked into clicking a single malicious link.
The bug, which affected Apple’s laptop and desktop computers from September through March, highlights just how hard it is for companies like Apple to effectively secure sensitive data — even before those companies begin fielding requests from the government for special access. Tech companies like Apple are nearly unanimous in their agreement that creating “backdoors” through which the government may access protected data undermines even the most basic security measures, including those designed to protect against vulnerabilities like the Messages bug.
The problem was not with Apple’s encryption systems, which remain relatively well-regarded among security experts, but in the “client” software that uses those systems, in this case, Apple’s instant-messaging app Messages, formerly known as iMessage. The problem was confined to versions of Messages that came with the “El Capitan” release of the OS X operating system, meaning that iPhones, iPads, and older versions of OS X were not impacted.
Amid the discussion about Apple’s messaging protocols and encryption, “People may overlook simple things like being able to exploit the client. That can also achieve the end goal of being able to steal information much the same way that breaking crypto would,” said Matthew Bryant, a co-author of the write-up and a former security consultant at Bishop Fox.
Users of the vulnerable version of the app could be sent malicious messages by any stranger, said Bishop Fox senior security analyst Shubham Shah. Many instant messaging platforms require that new contacts be approved before they can send you messages.
“From a technical perspective, it doesn’t really make sense to implement the same-origin policy in native applications like Messages,” said Bishop Fox associate penetration tester Joe DeMesy.
One takeaway for users is to think twice before clicking on a sketchy link. “URLs are part of a very large and complicated ecosystem and they can do a variety of different things depending on the type of URL they are. They should really be treated more like email attachments than just links to websites,” DeMesy said.
Another takeaway is the importance of installing patches and updates. Anyone running an older version of OS X El Capitan is still vulnerable to this exploit, which is part of the reason why DeMesy, Shah, and Bryant chose to wait several weeks after Apple released its fix to publicize the details of the vulnerability.
Yael Grauer is an independent journalist based in Phoenix. She’s written for WIRED, Slate, Forbes, and others.
PGP: 6E72 C713 979F 9EEA EFB8 A40B 5E34 C751 4A11 536A
Public Key: https://pgp.mit.edu/pks/lookup?op=get&search=0x5E34C7514A11536A