Skip to main content

The Apple iMessage Flaw Attackers, Spammers Will Love

iOS 10 users might think it's neat that preview thumbnails now appear automatically alongside links sent via iMessage, the technology that Apple's Messaging app uses to send messages between Apple devices. Unfortunately, Apple is performing this feat in a way that shares private information about your location and devices with the server of the previewed site.

We've learned about this leak in a blog post dated Oct. 3 from Ross McKillop, a Scottish web developer. McKillop revealed that iMessage requires the recipient's device to request the preview image and headline from the delivered link, and that in doing so, it shares your device's IP address, device type (iPad, iPhone and Mac) and the OS version you're running.

MORE: iOS 10 Messages: All the New Features and How to Use Them

A malicious sender or spammer could use all of this information to customize a spear-phishing attack to a target, as this data could let them know where you are located and the vulnerabilities of the devices you own, since they know how up-to-date or not you are.

Because iMessages can be received by all Apple devices, you'll be unwittingly sharing this data for all the iDevices you own. This ostensibly makes matters worse, if you're out and away from your Mac, as someone with this data could figure that out by seeing a discrepancy between the IP addresses.

Not all links received by Messages hand over this data automatically, as only those sent via other Apple devices on its iMessage protocol display thumbnails and headlines by default. Links sent via SMS by non-Apple devices don't automatically pull images and headlines, and require you to tap to preview.

While Facebook and Slack also display previews, those programs make the requests from their own servers, making it so that user metadata isn't shared.

What can I do?

  • You shouldn't have to do anything. This is Apple's wrong to right, and as McKillop notes, it could do so by either processing the metadata request on its end, or doing so from the sender's device.
  • If this really concerns you, you can disable the iMessage protocol until Apple changes how this works. Do so on an iPhone or iPad by opening Settings, tapping Messages and turning off the switch next to iMessages. On a Mac, open Messages, click Messages in the menu bar, click Accounts and click sign out. This is likely a step too far, but if you're truly worried about your IP address getting shared willy-nilly, it's the option provided.