iMessage Preview Problems; leak your location by receiving a text message (opens in new tab)

(theantisocialengineer.com)

36 pointsdeep_attention9y ago45 comments

45 comments

tl;dr iMessage now previews links automatically

> The updated iMessage loads the link preview and in essence clicks the link for you! That’s what irks us with this, the choice. OK we might not stop people clicking links anytime soon but Apple have taken this very choice away from us and facilitate the information leakage. The very act of receiving an SMS message can reveal your rough geographic location, your cellular operator, your current WiFi network.

spullara9y ago

What makes this more frustrating is that the link previews are a pretty terrible user experience.

userbinator9y ago

I don't use iMessage but I've noticed this "design pattern" turning up in various other apps, and I hate those bloody things. They're extremely distracting and annoying because they often include "loud" imagery too, when I'm only trying to read the text. I turn them off whenever I can.

throwanem9y ago

It's an unusual and disappointing error on Apple's part. I wouldn't be surprised to see it corrected in the first iOS 10 update. (And this is why we never install the .0 version of anything, and counsel our friends and loved ones likewise.)

PhantomGremlin9y ago

never install the .0 version of anything

We're already on 10.0.2, so we've already had a few updates.

2 more replies

jxy9y ago

   > Early 2016 we were the first company in the UK to offer
   > SMShing services. These SMS messages are like phishing
   > emails and contain a pretext alongside a link within the
   > message.  When a mark receives an SMS message and clicks the
   > link a host of details are available to us.

This kind of thing happens with email too. In Apple Mail you can disable the loading of external contents. Does anyone know in detail how the preview in iMessage work?

omarforgotpwd9y ago

Sending the requests from the client is probably not the most secure idea. Requests should be proxied through a cloud server on Apple's end to reduce the security risk of these previews.

simonh9y ago

As has been pointed out below, iMessages are end-to-end encrypted so Apple has no way to read the URL to proxy it.

spullara9y ago

You could still have the client use Apple as a proxy. This would reduce the privacy of the message but only the URL and only exposing it to specific service at Apple. If it is a SOCKS proxy, you could reduce the exposure to just the IP address and some amount of leakage to whatever DNS server the phone is using.

1 more reply

blixt9y ago

The client can still ask the Apple server for the metadata, since Apple already knows your IP from the push notification channel anyway. Ideally Apple would ensure that this lookup is not logged or stored in any way so there's no repository of the links people have sent to you anywhere.

mashlol9y ago

The client could send the request to Apple though, and pass the URL through that way, instead of requesting the actual URL. There's a trade-off there though that Apple gets to see all the links being sent over iMessage.

1 more reply

gengkev9y ago

There have been zero-days in the past that only require loading a website, right? So loading links automatically should be a massive concern for iOS security. Back in August, when zero-days used by the NSO Group were discovered, it was only because activist Ahmed Mansoor didn't click on a link in a text message. https://citizenlab.org/2016/08/million-dollar-dissident-ipho...

sisk9y ago

Incidentally, I received a bit of iMessage spam this weekend that I looked into. Was a series of 302s to an affiliate link. So this is actively being used right now for financial gain.

jafingi9y ago

Apple should fetch the data via their servers instead of the clients'. It leaks way too much information.

pfg9y ago

Messages are end-to-end encrypted in iMessage, meaning Apple cannot read the message contents. This solution would require Apple to bypass that encryption for URLs (which are often privacy-sensitive).

A good approach would be for the sender to fetch the URL and embed the preview as metadata along with the message. The only downside is that the sender could spoof the preview, but I think that's an acceptable trade-off here (not much of a phishing vector when you end up loading the original site once you open the link anyway).

mhowland9y ago

No need to do in transit. I mean iMessage could simply proxy all http/https requests post decryption in iMessage, pre-request.

At the end of the day this privacy trade off (apple gets your browsing info) is probably more secure than an embedded webview that could potentially be exploited and is auto-loaded. Similar to how Chrome alerts of malicious sites...I see this as a long term larger attack vector than privacy leakage.

1 more reply

Chronic9q9y ago

> Messages are end-to-end encrypted in iMessage, meaning Apple cannot read the message contents.

Ha. Cute.

O5vYtytb9y ago

Many comments are in regards to fixing this feature. I think this is one of those situations where the feature (previewing links) is not a good idea in the first place, or at least do not enable it by default.

diegorbaquero9y ago

What's wrong with web hosts nowadays? a few 100 users and everything dies.

Cached: https://webcache.googleusercontent.com/search?q=cache%3Ahttp...

throwanem9y ago

Wordpress with no caching plugin on a $5-a-month droplet, that's what. It's a pleasant enough platform to use, but if you don't cache content and you make the HN frontpage, you're gonna have a bad time.

circular_logic9y ago

If you are going to use a out of the box like wordpress why use a VPS instead of a hosting provider? Purely just to store your own data?

1 more reply

dx0349y ago

Any experience how many users you get from the front page? I guess there are a lot more clicks than comments, so it could've been 10k-100k?

Should of course still be no problem for any server that serves cached content, but somehow that number of requests brings down a fair amount of frontpage posts..

digi_owl9y ago

I find myself thinking a recent story of an middle eastern human rights activist who's iPhone was attempted hacked via a sms url. He avoided it by not tapping the url. I do wonder if this preview "feature" will help automate future attacks.

It seems that whenever we try to make software helpful we produce more problems.

0x006A9y ago

it also happens on the macOS and there is no way to disable it.

simonh9y ago

You can disable auto-loading of images in Mail.app.

jonknee9y ago

What does that have to do with Messages?

1 more reply

m0r0c4sh9y ago

Well it's possible to disable imessage right?

Go to settings > messages > and disable iMessage.

That should be a temporary fix right?

osi9y ago

imessage won't auto-load previews until you ask it to do it the first time.

yoz-y9y ago

But there is no way to disable this once you have accepted it. I do not actually remember having been given the choice but it has been some time so I probably just do not remember.

Ideally one could enable previews only from contacts.

osi9y ago

correct - i couldn't find a way to disable if you've changed your mind.

j / k navigate · click thread line to collapse

45 comments

jonknee9y ago

tl;dr iMessage now previews links automatically

spullara9y ago

What makes this more frustrating is that the link previews are a pretty terrible user experience.

userbinator9y ago

throwanem9y ago

PhantomGremlin9y ago

never install the .0 version of anything

We're already on 10.0.2, so we've already had a few updates.

2 more replies

jxy9y ago

   > Early 2016 we were the first company in the UK to offer
   > SMShing services. These SMS messages are like phishing
   > emails and contain a pretext alongside a link within the
   > message.  When a mark receives an SMS message and clicks the
   > link a host of details are available to us.

This kind of thing happens with email too. In Apple Mail you can disable the loading of external contents. Does anyone know in detail how the preview in iMessage work?

omarforgotpwd9y ago

Sending the requests from the client is probably not the most secure idea. Requests should be proxied through a cloud server on Apple's end to reduce the security risk of these previews.

simonh9y ago

As has been pointed out below, iMessages are end-to-end encrypted so Apple has no way to read the URL to proxy it.

spullara9y ago

1 more reply

blixt9y ago

mashlol9y ago

1 more reply

gengkev9y ago

sisk9y ago

Incidentally, I received a bit of iMessage spam this weekend that I looked into. Was a series of 302s to an affiliate link. So this is actively being used right now for financial gain.

jafingi9y ago

Apple should fetch the data via their servers instead of the clients'. It leaks way too much information.

pfg9y ago

mhowland9y ago

No need to do in transit. I mean iMessage could simply proxy all http/https requests post decryption in iMessage, pre-request.

1 more reply

Chronic9q9y ago

> Messages are end-to-end encrypted in iMessage, meaning Apple cannot read the message contents.

Ha. Cute.

O5vYtytb9y ago

diegorbaquero9y ago

What's wrong with web hosts nowadays? a few 100 users and everything dies.

Cached: https://webcache.googleusercontent.com/search?q=cache%3Ahttp...

throwanem9y ago

circular_logic9y ago

If you are going to use a out of the box like wordpress why use a VPS instead of a hosting provider? Purely just to store your own data?

1 more reply

dx0349y ago

Any experience how many users you get from the front page? I guess there are a lot more clicks than comments, so it could've been 10k-100k?

Should of course still be no problem for any server that serves cached content, but somehow that number of requests brings down a fair amount of frontpage posts..

digi_owl9y ago

It seems that whenever we try to make software helpful we produce more problems.

0x006A9y ago

it also happens on the macOS and there is no way to disable it.

simonh9y ago

You can disable auto-loading of images in Mail.app.

jonknee9y ago

What does that have to do with Messages?

1 more reply

m0r0c4sh9y ago

Well it's possible to disable imessage right?

Go to settings > messages > and disable iMessage.

That should be a temporary fix right?

osi9y ago

imessage won't auto-load previews until you ask it to do it the first time.

yoz-y9y ago

But there is no way to disable this once you have accepted it. I do not actually remember having been given the choice but it has been some time so I probably just do not remember.

Ideally one could enable previews only from contacts.

osi9y ago

correct - i couldn't find a way to disable if you've changed your mind.

j / k navigate · click thread line to collapse