Your iPhone/Mac is Giving You Away-ish - iMessage

We live in an ever-growing age of surveillance, hacking, and tracking. Thankfully, a few companies are taking a positive stance on privacy. Unfortunately, adding new shiny features can reduce privacy.

In this case, we look at an interesting issue with iMessage that nets you the IP of a sender. This is a quick read, I promise. This isn't necessarily a MAJOR issue, however, I think it's something people should be aware of.


Did you recently upgrade to the latest and greatest Apple iOS or MacOS? I'm glad to report that newly added features are great and things are much faster.

One notable change is with the iMessage system. With the addition of stickers, effects, previews, and little thumbs up/downs, you can interact with your friends in a new way. What if I told you, however, that the changes to iMessage are also giving your IP away?

The Issue

"How is it giving me away?"

Unfortunately, if you (an iPhone or Mac user with the latest iOS/MacOS Sierra) sends a link to someone, you disclose your IP address to the destination web server. This means when you send Joe a link to Bob's site, Bob will now see your IP, even if you didn't click on it. Pretty nifty, eh?

Here's an example where I sent myself my own site. When tailing the output of nginx access logs, my IP is disclosed at the time of sending the message:

To double check what I was looking at, I had a friend send me a link to my site (they are on iOS 10 and also on MacOS Sierra). Before the message even completely rendered in my iMessage, my access logs already had their IP.

Additionally, your IP is disclosed even if you send a link to someone that doesn't have an iPhone.

The Problem

Sure, I may seem paranoid. To me, however, this presents an interesting problem to privacy. This tells me that if any government entity or malicious actor is looking to uncover IPs of a target user and they know they have an Apple product, they can send them a link to a site/server of which they control. OR, better yet, the attacker can setup a site which appeals to a group or movement and just has to wait.

Assuming that the target sends that link to a friend or group using iMessage, the government or malicious actor just got the target IP.

The Problem #2

Aside from a malicious threat actor or the gubment, I'd be willing to bet that this is also a wonderful way for websites to obtain IPs for further analytics, tracking, and traffic.

Imagine how many IPs of Apple users are given away to sites now? #Marketing!

Want to Track Apple Users Sending On iMessage?

Just filter for lines in your access log containing:

"GET /apple-touch-icon.png HTTP/1.1"

OR:

"GET /apple-touch-icon-precomposed.png HTTP/1.1"

There you go, you can now track when someone using an updated iPhone or Mac sends someone your site.

Solutions??

Solutions:

  • VPN
  • Check out other messaging apps like Wickr/Wire (not ideal to all)
  • Disable iMessage (also not ideal)

Tweet to https://twitter.com/_infosecdude_ and let me know if you find other solutions. If you do, I'm more than happy to add it to here and mention you. Or hey, I'm open to seeing what projects you make to further track people.


Yes, I am aware that anyone can operate a server and that simply visiting a site will give away an IP... and that this assumes a person/target will actually relay the content via iMessage.

Join EFF!