IN THE MIDDLE of intense public debate over whether Apple should be forced to help the government decrypt iPhones for criminal investigations, the company quietly closed a six-month-old security vulnerability in its Messages app. Newly published details reveal just how severe that vulnerability was, allowing the exfiltration of chat history, including photos and videos, if the user could be tricked into clicking a single malicious link.

The bug, which affected Apple’s laptop and desktop computers from September through March, highlights just how hard it is for companies like Apple to effectively secure sensitive data — even before those companies begin fielding requests from the government for special access. Tech companies like Apple are nearly unanimous in their agreement that creating “backdoors” through which the government may access protected data undermines even the most basic security measures, including those designed to protect against vulnerabilities like the Messages bug.

Apple fixed the Messages vulnerability with a software update March 21, describing it cryptically as “an issue … in the processing of JavaScript links. … Clicking a JavaScript link can reveal sensitive user information.” Full details came on Friday, when the team that discovered the bug at security consultancy Bishop Fox posted a technical write-up and code demonstrating how to exploit the flaw.

The problem was not with Apple’s encryption systems, which remain relatively well-regarded among security experts, but in the “client” software that uses those systems, in this case, Apple’s instant-messaging app Messages, formerly known as iMessage. The problem was confined to versions of Messages that came with the “El Capitan” release of the OS X operating system, meaning that iPhones, iPads, and older versions of OS X were not impacted.

Amid the discussion about Apple’s messaging protocols and encryption, “People may overlook simple things like being able to exploit the client. That can also achieve the end goal of being able to steal information much the same way that breaking crypto would,” said Matthew Bryant, a co-author of the write-up and a former security consultant at Bishop Fox.

The Messages bug was triggered when a user clicked on a specially crafted hyperlink arriving via instant message. Rather than taking the user to a website when clicked, as most links do, this link executed malicious JavaScript code. Web standards allow any link to contain this sort of executable code, but such code is typically contained, or “sandboxed,” to prevent system attacks. The Messages app failed to properly safeguard against such attacks. Indeed, JavaScript embedded in a hyperlink sent to a Messages user could, when activated with a click, gain remote access to the target’s unencrypted message history and message attachments, including personal photos and videos. If the target had synced their phone to iCloud, the attacker could gain access to all of their SMS text messages as well.

Users of the vulnerable version of the app could be sent malicious messages by any stranger, said Bishop Fox senior security analyst Shubham Shah. Many instant messaging platforms require that new contacts be approved before they can send you messages.

Apple elected to fix the vulnerability simply by blocking all hyperlinks containing JavaScript.

The bug appears to have arisen because Apple failed to properly adapt code intended for use in a web browser for use in the context of a messaging app. To render content like hyperlinks, Messages uses an embedded version of the open source web-browser engine WebKit. Web browsers typically limit the reach of JavaScript code by containing it to a single originating web server. This means that scripts on a web page may access data on a second web page only if the second page originates from the same server. This is known as the “same-origin policy,” and Apple discarded it for the Messages app.

“From a technical perspective, it doesn’t really make sense to implement the same-origin policy in native applications like Messages,” said Bishop Fox associate penetration tester Joe DeMesy.

But abandoning the same-origin policy meant that JavaScript code embedded in Messages links had access to local files, which isn’t the case for JavaScript that is executed in a web browser. “This allowed us to leverage the vulnerability in interesting ways that wouldn’t have been possible in the browser,’ said DeMesy.

One takeaway for users is to think twice before clicking on a sketchy link. “URLs are part of a very large and complicated ecosystem and they can do a variety of different things depending on the type of URL they are. They should really be treated more like email attachments than just links to websites,” DeMesy said.

Another takeaway is the importance of installing patches and updates. Anyone running an older version of OS X El Capitan is still vulnerable to this exploit, which is part of the reason why DeMesy, Shah, and Bryant chose to wait several weeks after Apple released its fix to publicize the details of the vulnerability.

Yael Grauer is an independent journalist based in Phoenix. She’s written for WIRED, Slate, Forbes, and others.

PGP: 6E72 C713 979F 9EEA EFB8 A40B 5E34 C751 4A11 536A
Public Key:

Top photo: Phil Schiller, Apple’s senior vice president of worldwide product marketing, discusses messaging on the new iPhone 6 and iPhone 6 plus in Cupertino, Calif., Sept. 9, 2014.