iMessage Preview Problems; leak your location by receiving a text message

iMessage Preview Problems; leak your location by receiving a text message(theantisocialengineer.com)

36 points by deep_attention 9 years ago | 45 comments

jonknee 9 years ago |

tl;dr iMessage now previews links automatically

> The updated iMessage loads the link preview and in essence clicks the link for you! That’s what irks us with this, the choice. OK we might not stop people clicking links anytime soon but Apple have taken this very choice away from us and facilitate the information leakage. The very act of receiving an SMS message can reveal your rough geographic location, your cellular operator, your current WiFi network.

spullara 9 years ago | |

What makes this more frustrating is that the link previews are a pretty terrible user experience.

userbinator 9 years ago | | |

I don't use iMessage but I've noticed this "design pattern" turning up in various other apps, and I hate those bloody things. They're extremely distracting and annoying because they often include "loud" imagery too, when I'm only trying to read the text. I turn them off whenever I can.

throwanem 9 years ago | |

It's an unusual and disappointing error on Apple's part. I wouldn't be surprised to see it corrected in the first iOS 10 update. (And this is why we never install the .0 version of anything, and counsel our friends and loved ones likewise.)

PhantomGremlin 9 years ago | | |

never install the .0 version of anything

We're already on 10.0.2, so we've already had a few updates.

jxy 9 years ago |

   > Early 2016 we were the first company in the UK to offer
   > SMShing services. These SMS messages are like phishing
   > emails and contain a pretext alongside a link within the
   > message.  When a mark receives an SMS message and clicks the
   > link a host of details are available to us.

This kind of thing happens with email too. In Apple Mail you can disable the loading of external contents. Does anyone know in detail how the preview in iMessage work?

omarforgotpwd 9 years ago |

Sending the requests from the client is probably not the most secure idea. Requests should be proxied through a cloud server on Apple's end to reduce the security risk of these previews.

simonh 9 years ago | |

As has been pointed out below, iMessages are end-to-end encrypted so Apple has no way to read the URL to proxy it.

spullara 9 years ago | | |

You could still have the client use Apple as a proxy. This would reduce the privacy of the message but only the URL and only exposing it to specific service at Apple. If it is a SOCKS proxy, you could reduce the exposure to just the IP address and some amount of leakage to whatever DNS server the phone is using.

blixt 9 years ago | | |

The client can still ask the Apple server for the metadata, since Apple already knows your IP from the push notification channel anyway. Ideally Apple would ensure that this lookup is not logged or stored in any way so there's no repository of the links people have sent to you anywhere.

mashlol 9 years ago | | |

The client could send the request to Apple though, and pass the URL through that way, instead of requesting the actual URL. There's a trade-off there though that Apple gets to see all the links being sent over iMessage.

gengkev 9 years ago | |

There have been zero-days in the past that only require loading a website, right? So loading links automatically should be a massive concern for iOS security. Back in August, when zero-days used by the NSO Group were discovered, it was only because activist Ahmed Mansoor didn't click on a link in a text message. https://citizenlab.org/2016/08/million-dollar-dissident-ipho...

sisk 9 years ago |

Incidentally, I received a bit of iMessage spam this weekend that I looked into. Was a series of 302s to an affiliate link. So this is actively being used right now for financial gain.

jafingi 9 years ago |

Apple should fetch the data via their servers instead of the clients'. It leaks way too much information.

pfg 9 years ago | |

Messages are end-to-end encrypted in iMessage, meaning Apple cannot read the message contents. This solution would require Apple to bypass that encryption for URLs (which are often privacy-sensitive).

A good approach would be for the sender to fetch the URL and embed the preview as metadata along with the message. The only downside is that the sender could spoof the preview, but I think that's an acceptable trade-off here (not much of a phishing vector when you end up loading the original site once you open the link anyway).

mhowland 9 years ago | | |

No need to do in transit. I mean iMessage could simply proxy all http/https requests post decryption in iMessage, pre-request.

At the end of the day this privacy trade off (apple gets your browsing info) is probably more secure than an embedded webview that could potentially be exploited and is auto-loaded. Similar to how Chrome alerts of malicious sites...I see this as a long term larger attack vector than privacy leakage.

Chronic9q 9 years ago | | |

> Messages are end-to-end encrypted in iMessage, meaning Apple cannot read the message contents.

Ha. Cute.

O5vYtytb 9 years ago |

Many comments are in regards to fixing this feature. I think this is one of those situations where the feature (previewing links) is not a good idea in the first place, or at least do not enable it by default.

diegorbaquero 9 years ago |

What's wrong with web hosts nowadays? a few 100 users and everything dies.

Cached: https://webcache.googleusercontent.com/search?q=cache%3Ahttp...

throwanem 9 years ago | |

Wordpress with no caching plugin on a $5-a-month droplet, that's what. It's a pleasant enough platform to use, but if you don't cache content and you make the HN frontpage, you're gonna have a bad time.

circular_logic 9 years ago | | |

If you are going to use a out of the box like wordpress why use a VPS instead of a hosting provider? Purely just to store your own data?

dx034 9 years ago | |

Any experience how many users you get from the front page? I guess there are a lot more clicks than comments, so it could've been 10k-100k?

Should of course still be no problem for any server that serves cached content, but somehow that number of requests brings down a fair amount of frontpage posts..

digi_owl 9 years ago |

I find myself thinking a recent story of an middle eastern human rights activist who's iPhone was attempted hacked via a sms url. He avoided it by not tapping the url. I do wonder if this preview "feature" will help automate future attacks.

It seems that whenever we try to make software helpful we produce more problems.

0x006A 9 years ago |

it also happens on the macOS and there is no way to disable it.

simonh 9 years ago | |

You can disable auto-loading of images in Mail.app.

jonknee 9 years ago | | |

What does that have to do with Messages?

m0r0c4sh 9 years ago |

Well it's possible to disable imessage right?

Go to settings > messages > and disable iMessage.

That should be a temporary fix right?

osi 9 years ago |

imessage won't auto-load previews until you ask it to do it the first time.

yoz-y 9 years ago | |

But there is no way to disable this once you have accepted it. I do not actually remember having been given the choice but it has been some time so I probably just do not remember.

Ideally one could enable previews only from contacts.

osi 9 years ago | | |

correct - i couldn't find a way to disable if you've changed your mind.