OS X Messages (iMessage): XSS & File Disclosure

Patch Date

March 21, 2016

Reported Date

February 2016



Systems Affected

Messages (iMessage) on OS X <= 9.1


Messages (iMessage) for OS X, a popular messaging platform from Apple, implements much of its user interface via an embedded version of WebKit. iMessage will also render any URI as a clickable HTML <a href= link. An attacker can create a simple JavaScript URI (e.g., javascript:) that, when clicked, allows the attacker’s code to gain initial execution (cross-site scripting) in the context of the application DOM. Though the embedded WebKit library used by Messages for OS X executes in an ‘applewebdata://’ origin, an attacker can still read arbitrary files via ‘XMLHttpRequest’ (XHR) GET requests to a `file://`URI since there is no same-origin policy implemented. By abusing XHR, an attacker can read and subsequently upload a victim’s entire chat history and attachments to a remote server. The only user interaction required is clicking on a link. Furthermore, if the victim has text messages forwarded to their computer (SMS forwarding), the attacker can also recover any messages sent to or from the victim’s iPhone.

Vendor Status

The OS X El Capitan v10.11.4 and Security Update 2016-002 fixed this issue as of March 21, 2016. The CVE for this vulnerability is CVE-2016-1764.

Exploit Details

Our accompanying blog post has a detailed write-up of how this vulnerability was exploited.