At the height of the Apple-FBI battle, researchers at Johns Hopkins University tunneled their way through the encryption protocol protecting iMessage to get at content sent via the Apple application
Last week, a decidedly less complicated approach surfaced.
“The complexity of the attack is far less than the impact,” said Joe DeMesy, security associate at Bishop Fox. “That’s what makes this an interesting little bug.”
DeMesy, along with colleague and senior security analyst Shubham Shah and researcher Matt Bryant, found the bug almost by accident, according to Shah. The trio were in the midst of research on URI handler bugs when Shah inadvertently opened iMessage instead of another messaging app he was examining. Given that the app was open, he tried the proof-of-concept they had in hand and it worked. DeMesy and Shah said they believe the flaw and exploit could work on messaging apps for other platforms, but aren’t close to disclosing yet.
They did privately report this bug to Apple, which patched it in short order, the researchers said.
The vulnerability affects only iMessage on OS X, but since many attach an iCloud account to Macbooks and sync their iPhones to iMessage, Shah said it is possible that any messages linked to the account could be stolen via their exploit.
“The end game is to steal the iMessage database, and if you have your [iPhone] synched to the iMessage app, all messages on the phone are also synched to the same database,” Shah said. “In that scenario, if you receive a link from any user and click, not only your messages on your computer, but also on your phone will be sent to the attacker.”
“You would never be able to do that in Chrome,” DeMesy said. “A lot of apps rely on that functionality, but in this case, we know it can only be used to render in iMessage, so it can be safely disabled [without breaking other functionality].”
“If you’re looking at memory corruption or buffer overflow bugs, since you’re literally crashing the systems to get the exploit to work, there’s always a reliability problem with those bugs,” DeMesy said. “This is 100 percent reliable. It’s definitely a new class of exploit too. There’s not a lot of research in this area.”