iMessage has been patched by Apple to address a vulnerability that allowed a malicious hacker to steal a user’s chat history and MMS media wirelessly by sending a single link. If a user were to click on this link, which is a set of Javascript commands, their data would be transmitted to the hacker’s server, with no way of reversing the process.
The attacks focused on the iMessage client for OS X, but could work on any iPhone that had turned SMS forwarding on, according to The Verge .
The bug was discovered by Joe DeMesy, Shubham Shah and Matthew Bryant (Uber Security Team), who told Apple about the iMessage vulnerability before anybody malicious could use the cross-scripting bug for nefarious purposes.
Apple fixed the bug in March 2016, with an update called CVE-2016-1764 . For technical details on how the attack could have been carried out, make sure to watch the video below or read this blog post on Bishop Fox .
The trio of researchers conclude on a worthwhile point. URLs can wreak damage on a computer system, and many people assume them to be harmless, which is far from the truth.
So the best bet is treat URLs like candy: If they’re coming from a stranger, just say no.