Apple iMessage URLs ship OS, device, and IP data to sites, dev says
Implementation a bit slack
British developer Ross McKillop says Apple's implementation of URL previews leaks users' IP address and operating system information to websites.
The leakage might be a boon to spammers, who could use the operating system information and IP address data to better hone their attacks.
Links subject to previews, which displays an image of a website along with some text, are used across applications and services including Slack and Facebook.
Those properties send requests originating from their servers to websites linked within URL previews, safeguarding users.
Any Apple user merely receiving an iMessage URL preview will have their IP address, operating system, and device type.
McKillop considering attack vectors goes further and suggests exploits could be built to exploit when the URL is opened as a preview.
"As this request is clearly being made, and parsed, by Safari from the user-agent string it's reasonable to believe that there is potential that an exploit found in Safari could be triggered without the target even browsing to the site, simply by sending them an iMessage containing that URL," McKillop says.
"There is no way to switch off this automatic request behaviour, therefore no way to disable this.
"Hopefully Apple will either change this or make it an option to request via a proxy enabled by default." ®