At the height of the Apple-FBI battle, researchers at Johns Hopkins University tunneled their way through the encryption protocol protecting iMessage to get at content sent via the Apple application
Last week, a decidedly less complicated approach surfaced.
Rather than having to learn crypto, inject malware or establish a man-in-the-middle position on the network, a trio of researchers figured out how to abuse the desktop OS X version of iMessage using some JavaScript and one click from the user.
“The complexity of the attack is far less than the impact,” said Joe DeMesy, security associate at Bishop Fox. “That’s what makes this an interesting little bug.”
As it turns out, before the March 21 iOS 9.3 update, iMessage would convert JavaScript URLs into clickable links in the app, offering criminals an easy path to steal the app’s database, thus grabbing an archive of messages and attachments.
DeMesy, along with colleague and senior security analyst Shubham Shah and researcherĀ Matt Bryant, found the bug almost by accident, according to Shah. The trio were in the midst of research on URI handler bugs when Shah inadvertently opened iMessage instead of another messaging app he was examining. Given that the app was open, he tried the proof-of-concept they had in hand and it worked. DeMesy and Shah said they believe the flaw and exploit could work on messaging apps for other platforms, but aren’t close to disclosing yet.
They did privately report this bug to Apple, which patched it in short order, the researchers said.
The vulnerability affects only iMessage on OS X, but since many attach an iCloud account to Macbooks and sync their iPhones to iMessage, Shah said it is possible that any messages linked to the account could be stolen via their exploit.
“The end game is to steal the iMessage database, and if you have your [iPhone] synched to the iMessage app, all messages on the phone are also synched to the same database,” Shah said. “In that scenario, if you receive a link from any user and click, not only your messages on your computer, but also on your phone will be sent to the attacker.”
The researchers’ proof-of-concept exploit allows for any code to be sent to the client, but only JavaScript would execute thanks to the vulnerability. All other code would be confined to the Apple OS X sandbox, denying the attacker access to arbitrary files, for example.
The researchers published a report that explains the vulnerability lies in the app’s implementation of Webkit, and a design capability where it can execute JavaScript and other scripts related to the web, the researchers said.
“The iMessage app would convert links on a loose type of restriction,” Shah said. “If it thought it looked like a link, it would convert it to a hyperlink in the viewer. Because of the flaw, we could insert JavaScript via a neat little trick. Using javascript://, which is supposed to be a comment, we insert a URI instead and iMessage converts it to an actual link.”
This is a default Webkit feature, DeMesy said, and dates back 20 years and said that a lot of Web apps rely on this type of functionality. Apple’s update removed the ability to render JavaScript links as clickable, remediating the issue, the researchers said.
“You would never be able to do that in Chrome,” DeMesy said. “A lot of apps rely on that functionality, but in this case, we know it can only be used to render in iMessage, so it can be safely disabled [without breaking other functionality].”
Shah said their proof of concept requires only a basic knowledge of JavaScript and a payload of only 50 lines of JavaScript, something he said could be shrunken down.
“If you’re looking at memory corruption or buffer overflow bugs, since you’re literally crashing the systems to get the exploit to work, there’s always a reliability problem with those bugs,” DeMesy said. “This is 100 percent reliable. It’s definitely a new class of exploit too. There’s not a lot of research in this area.”