Apple might need to fine-tune the link preview feature the company added to iMessage in iOS 10 and macOS 10.12, released two weeks ago, in September.
According to Ross McKillop, this new feature contains an information leak bug that allows an attacker to learn an iMessage user’s IP address, OS version, and device details.
Link previews are the small content cards that appear whenever you type and share a URL in a chat window. IM services such as Facebook, Twitter, Skype, or Slack also provide this feature, which can be quite handy, offering a preview of what the link holds, without having to leave the IM app.
For the aforementioned services, whenever a user shares a link with a person he’s chatting, the service scans the link, accesses the URL, retrieves the data needed for a preview (page title, page description, thumbnail image), and embeds the data inside the user’s chat window, when available.
All these operations are carried out from the IM service’s servers and only the server’s IP address is exposed when making the request for retrieving the link preview content.
McKillop says that this is not the case for iMessage, who performs these queries from the user’s device.
In a very plausible attack scenario, a threat actor or a spammer can send a victim a link to a site he controls.
When the user opens iMessage to see the message, even if he never clicks the link and accesses it, iMessage would connect to the URL automatically, and retrieve the necessary preview data.
The attacker’s server would collect personal details for every user the attacker sent a link via iMessage. This data is important, and exposing it might have dire consequences.
For example, a nation-state actor could learn a target’s IP address, and get a general idea of the victim’s geographical location, ISP provider, and even the target’s real name
Further, a spammer could use the collected information to hone future attacks and send spam or spear-phishing messages in the user’s local language, or fine-tuned for mobile or desktop devices, based on a user’s device details exposed by iMessage.
Since there’s no user interaction needed to exploit this flaw, the attack is trivial and available to any threat actor at the time of this article. Additionally, iMessage has no option that allows users to turn link previews off, neither on iOS or macOS devices.