Latest in Gear

Image credit:

OS X update fixed 'simple' bug that could leak your iMessages

Clicking a JavaScript link sends attackers a copy of your entire chat history.
31 Shares
Share
Tweet
Share
Save

Sponsored Links

Researchers explained one large security hole in Apple's iMessage app that received a patch last month, but until now we didn't have details on another vulnerability fixed at the same time. By tricking users into clicking a specially-crafted link, hackers could gain access to the usually encrypted communications in OS X El Capitan's Messages. "You don't need a graduate degree in mathematics to exploit it, nor does it require advanced knowledge of memory management, shellcode or ROP chains," according to security researchers at Bishop Fox -- just knowledge of basic JavaScript.

Simply clicking the nefarious link from a sender grants them access to your plaintext messages and any attachments. That bit of JavaScript could even look like a legitimate link, as you'll see in the video below. From there the cross-site scripting attack (XSS) is executed and uploads your stuff to a remote server. Flaws like these have usually been common in web browsers, but as the team points out, use of rendering engines like WebKit can bring them to other apps as well.

The team reported the problem (CVE-2016-1764) to Apple before publicly announcing how it works, and the company's patch fixes things with "improved content security policy checks." As always, make sure you have all of the latest updates installed, and double check links before blindly clicking on them. Protip: The ones that start with javascript:// probably won't actually reveal what all of your Facebook friends are secretly saying about you.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
31 Shares
Share
Tweet
Share
Save

Popular on Engadget

Law enforcement is using a facial recognition app with huge privacy issues

Law enforcement is using a facial recognition app with huge privacy issues

View
Microsoft will fix an Internet Explorer security flaw under active attack

Microsoft will fix an Internet Explorer security flaw under active attack

View
Hitting the Books: Hackers can convince your IoT devices to betray you

Hitting the Books: Hackers can convince your IoT devices to betray you

View
The Morning After: Counting down to SpaceX's next Crew Dragon test

The Morning After: Counting down to SpaceX's next Crew Dragon test

View
Recommended Reading: The internet sleuths who caught the Astros cheating

Recommended Reading: The internet sleuths who caught the Astros cheating

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr