Cyber security researcher Ross McKillop discovered the security vulnerabilities of Apple’s new mobile operating system. The newly designed links of iMessage allow the user to see a brief preview of the website on the other end before clicking it. However, unlike other services that have website previews, such as Slack or Facebook, iMessage sends request from the owner’s phone itself, rather than through a service.
In turn, valuable data is being transferred between the user’s device and the website on the other end. Information such as IP addresses and hardware and software details are transferred.
McKillop notes the potential attack vector for hackers to use by exploiting iMessage’s new functionality.
As this request is clearly being made, and parsed, by Safari from the User-Agent string it’s reasonable to believe that there is potential that an exploit found in Safari could be triggered without the target even browsing to the site, simply by sending them an iMessage containing that URL.
Unfortunately, there is no rock-solid way to combat this issue if you are currently an iOS 10 or macOS Sierra user. Apple’s lack of using a VPN could be fixed in the future, but there is no definite date that this will be resolved by.
Apple’s new iMessage has not been free of scrutiny apart from this. Just a couple weeks after the new OS’s release dates, it was found that some personal information sent over iMessage is stored on Apple’s servers.