IN THE MIDDLE of intense public debate over whether Apple should be forced to help the government decrypt iPhones for criminal investigations, the company quietly closed a six-month-old security vulnerability in its Messages app. Newly published details reveal just how severe that vulnerability was, allowing the exfiltration of chat history, including photos and videos, if the user could be tricked into clicking a single malicious link.

The bug, which affected Apple’s laptop and desktop computers from September through March, highlights just how hard it is for companies like Apple to effectively secure sensitive data — even before those companies begin fielding requests from the government for special access. Tech companies like Apple are nearly unanimous in their agreement that creating “backdoors” through which the government may access protected data undermines even the most basic security measures, including those designed to protect against vulnerabilities like the Messages bug.

Apple fixed the Messages vulnerability with a software update March 21, describing it cryptically as “an issue … in the processing of JavaScript links. … Clicking a JavaScript link can reveal sensitive user information.” Full details came on Friday, when the team that discovered the bug at security consultancy Bishop Fox posted a technical write-up and code demonstrating how to exploit the flaw.

The problem was not with Apple’s encryption systems, which remain relatively well-regarded among security experts, but in the “client” software that uses those systems, in this case, Apple’s instant-messaging app Messages, formerly known as iMessage. The problem was confined to versions of Messages that came with the “El Capitan” release of the OS X operating system, meaning that iPhones, iPads, and older versions of OS X were not impacted.

Read more

Related Articles