Bug in OS X Messages client exposes messages, attachments

When in March Apple pushed out security updates for its many products, much attention has been given to a zero-day bug discovered by a team of Johns Hopkins University researchers, which could have allowed attackers to decrypt intercepted iMessages.

Another vulnerability (CVE-2016-1764) that affects the OS X Messages client has passed practically unnoticed, as its description simply said “clicking a JavaScript link can reveal sensitive user information.”

But on Friday more details about it have been revealed by the researchers who unearthed it, and it’s not only critical, as it allows attackers to steal a victim’s message history in addition to any message attachments, but also extremely easy to exploit.

“An attacker could exploit this vulnerability by sending a malicious message to a victim, which could be manipulated to appear as if it came from a trusted source. The message would contain a link that, when clicked by the victim, would give the attacker access to the victim’s messages and attachments almost instantly,” the researchers noted.

Here’s a short demonstration of the attack:

“It would have been a devastating attack for anyone to experience,” said Joe DeMesy, a security associate at cybersecurity consulting firm Bishop Fox who is one of the three researchers responsible for the finding. “Think about what you usually send to your friends and family via message. Private photos, personal information, all kinds of content you wouldn’t want to fall into the wrong hands.”

More technical details about the flaw can be found in this blog post. PoC exploit code has been released on GitHub.

The researchers disclosed their finding to Apple, and the parties worked together to quickly remediate the issue. “Apple was responsive from the start and kept the lines of communication open throughout the disclosure process,” said Carl Livitt, a partner at Bishop Fox.

If you are one of the many Messages for OS X users and have yet to update your software to the newest version, both Apple and Bishop Fox advise doing so immediately.