Messages service for OS X contained message disclosure vulnerability

The Messages service for OS X contained a vulnerability that made it possible to get hold of a user’s entire file and conversation history by having them click on a link. Apple released a patch in March to close the leak.

The vulnerability, which has been assigned the number cve-2016-1764, was possible because Messages uses an embedded version of the WebKit engine. In addition, the service renders each uri as a selectable HTML link, the Bishop Fox security researchers write. The lack of a list of allowed protocols in Messages allowed an attacker to send a malicious javascript link to the victim, as demonstrated in the video below. This allowed a potential attacker to run javascript code.

Because Messages does not have a same-origin policy, certain files could be requested with a malicious script via an XHR GET request. To get a user’s file and conversation history, it was necessary to find out the username under which it is registered in OS X. This allowed the attacker to generate the full path to the chat database. However, according to the researchers, this was not a problem, as the logged-in user could be easily accessed from the OS X application sandbox. In this way it was possible to send the complete file and conversation history to a self-chosen server.

If automatic text message forwarding was enabled, this xss attack could also trace the history of an iPhone. It was not possible to install malware in this way, for example. The code of the associated exploit has been made available by the researchers on GitHub and there is no indication that the vulnerability has actually been used by malicious parties.