Yesterday, at the security conference Black Hat, held in Las Vegas, the expert Google Project Zero and Natalie Silvanovich told about security problems in the client iMessage. In case of successful exploitation of these bugs, an attacker could gain control over user’s device.
At the moment Apple has fixed five vulnerabilities. While there are still several bugs that need separate patches.
“Such gaps can lead to code execution. With their help, the attacker will also be able to access your data,” said Silvanovich.
Expert Google Project Zero began to look for these vulnerabilities after the sensational stories about security issues with WhatsApp messenger. Recall that the vulnerability of WhatsApp was enabled by means of calls to install spy on iPhone and Android.
Silvanovich checked SMS, MMS, voice mail for the presence of these bugs — empty, nothing found. After that, the expert suggested that such problems may have iMessage.
She put the Apple product reverse engineering and immediately found several vulnerabilities that could be used by potential attackers. The reason for the presence of vulnerabilities may lie in how iMessage is a fairly complex platform that includes a set of features and capabilities.
One of the most interesting problems Silvanovich found in the fundamental logic of the application, the attacker could easily extract data from text messages to the user.
To do this, the attacker would need to send special text message and the iMessage server will send in response to certain data of the attacked victim. Among these will be the contents of text messages, and sent and received images.
Other bugs discovered by the researcher, lead to the execution of malicious code. They can also be delivered with a simple text message.
Read more •••