Malicious Link Steals Every iMessage on Your Mac

Staff Writer
Updated

Imagine someone stealing a copy of every iMessage on your Mac, or even on your iPhone, without you even knowing that it happened.

Credit: Dedi Grigoroiu/ShutterstockCredit: Dedi Grigoroiu/Shutterstock

All an attacker needs to pull off this heist is to trick you into clicking on a malicious link sent through Apple's Messages app.  If you do, he or she will have every note you've texted to your friends, every communication you've sent to your loved ones and any other notes you may want to keep private.

MORE: The Best (and Worst) Identity Theft Protection

This vulnerability was revealed in a blog post last Friday (April 8) by Joe DeMesy, Shubham Shah and Matthew Bryant, three researchers at the Tempe, Arizona-based security firm Bishop Fox. The blog post, and an accompanying YouTube video, detail how a JavaScript command that's masquerading as a regular URL can steal those messages instantly.

Text messages stored on an iPhone can also be stolen if the victim uses Apple's message-forwarding feature, which lets a Mac receive a copy of every iMessage and text message sent to and from the user's iPhone.

Source: YouTube / Bishop Fox

If you click the malicious JavaScript link, it executes code from a remotely-linked site and uploads your entire iMessage database to the attacker's server. Such cross-site scripting (XSS) attacks have hit web browsers for years, but Apple's messaging client is also vulnerable because it uses the WebKit engine, also used by Safari, to render HTML.

Seasoned computer users may be suspicious of a lengthy link that starts with "javascript://", but the example shared by the team at Bishop Fox also contains "www.facebook.com," which may be enough to trick users into clicking immediately. The Bishop Fox team calls this a "relatively simple bug" and explains that an attacker would only need a basic understanding of JavaScript to exploit the bug.

Fortunately, not only is it easy to spot a JavaScript link by its prefix, but Apple fixed this vulnerability in OS X 10.11.4, which was released last month (Mar. 21). This was one of many bugs squashed by the update, so we encourage users to click the Apple logo in the upper right corner, select App Store and tap Updates to download the latest version of the operating system.

As always, we advise users never click on suspicious-looking links. We can now add that users should never trust a link that starts with "javascript://".