Messages service for OS X contains vulnerability that poured out messages




The Messages service for OS X contains a vulnerability, which made it possible to get the entire file and call history from a user to click on this link. Apple in March distributed a patch to plug the leak.

The vulnerability, which has been allocated the number CVE-2016-1764, was possible because Messages uses an embedded version of the WebKit engine. In addition, the service renders any uri as a selectable HTML link, so write the security researchers at Bishop Fox. Because no list exists of allowed protocols Messages, an attacker could use a malicious javascript link sent to the victim, as in the video demonstration below. As a result, a potential attacker was able to execute JavaScript code.

Messages Because no same-origin policy applies were there with a malicious script via XHR be called GET request certain files. To get the file and call history when it was necessary to identify the user name under which it was registered in OS X. On this basis, the attacker could generate the full path to the IM database. According to the researchers, however, this was not a problem as the logged in user could be easily retrieved from the OS X application sandbox. In this way, it was possible to send the entire file and conversation history to a chosen server.

If it was activated automatic forwarding of SMS messages could be traced also the history of an iPhone this xss attack. It was not possible for example to install malware via this way. The code of the corresponding exploits by the researchers available soon GitHub and no indications were that the vulnerability is actually used by attackers.


In: A Technology & Gadgets Asked By: [20314 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »

Star Points Scale

Earn points for Asking and Answering Questions!

Grey Sta Levelr [1 - 25 Grey Star Level]
Green Star Level [26 - 50 Green Star Level]
Blue Star Level [51 - 500 Blue Star Level]
Orange Star Level [501 - 5000 Orange Star Level]
Red Star Level [5001 - 25000 Red Star Level]
Black Star Level [25001+ Black Star Level]