OS X Messages (iMessage): XSS & File Disclosure

by Joe DeMesy, Shubham Shah, and Matthew Bryant, on Apr 8, 2016 5:00:21 AM

Patch Date

March 21, 2016

Reported Date

February 2016



Systems Affected

Messages (iMessage) on OS X <= 9.1


Messages (iMessage) for OS X, a popular messaging platform from Apple, implements much of its user interface via an embedded version of WebKit. iMessage will also render any URI as a clickable HTML <a href= link. An attacker can create a simple JavaScript URI (e.g., javascript:) that, when clicked, allows the attacker’s code to gain initial execution (cross-site scripting) in the context of the application DOM. Though the embedded WebKit library used by Messages for OS X executes in an ‘applewebdata://’ origin, an attacker can still read arbitrary files via ‘XMLHttpRequest’ (XHR) GET requests to a `file://`URI since there is no same-origin policy implemented. By abusing XHR, an attacker can read and subsequently upload a victim’s entire chat history and attachments to a remote server. The only user interaction required is clicking on a link. Furthermore, if the victim has text messages forwarded to their computer (SMS forwarding), the attacker can also recover any messages sent to or from the victim’s iPhone.

Vendor Status

The OS X El Capitan v10.11.4 and Security Update 2016-002 fixed this issue as of March 21, 2016. The CVE for this vulnerability is CVE-2016-1764.

Exploit Details

Our accompanying blog post has a detailed write-up of how this vulnerability was exploited.


Vulnerabilities:Cross-site Scripting


Vulnerability Disclosure Policy

Bishop Fox takes security issues very seriously. We believe in coordinated disclosure, and we work closely with vendors and clients to patch vulnerabilities promptly. More on our Disclosure Policy →

Subscribe to Updates