iMessage and OpenGraph for Fun and Profit Purpose and motivation What if we clicked beyond sensationalist headlines? What if we — with our many collective years of network and web security experience — enforced verification by both client and server, or sender and recipient? The world would probably be way less fun, because today we can forge arbitrary and convincing iMessage link previews (ostensibly from sources like CNN, BBC, or the Federal Reserve) with four html tags. I'm also guilty of sensationalizing here. This is more of a gag than anything — and consists purely of misuse as opposed to any kind of exploitation. It does however raise questions as to how we should handle OpenGraph and similar standards going forwards. I'm picking on iMessage because it's the worst offender I identified during some poking around. At the very least, you can test who among your circle actually clicks past iOS link previews. ~~~ Env/Preparation In short, we're serving bad content from an iOS device visiting an attacker-controlled webpage. Receiving iOS devices trust the bad content by default. This example uses a bridged VM accessible on your LAN, but hypothetically any page you can 1) hit from your attacker iOS device and 2) exercise control over will work. My env:

• Ubuntu 18.04.6 guest running in VirtualBox, with bridged networking
• Apple mobile device running iOS 16
• I'm disabling AP isolation so the mobile device can talk to the VM. This isnt't necessary for an internet-accessible page.

~~~ Steps

1. boot the VM with the live ISO - make sure to select bridged networking so the guest is assigned a distinct IP
2. open a shell in the VM and install apache2: sudo apt update && sudo apt install -y apache2
3. overwrite the apache default landing page with a crafted, minimal set of OpenGraph tags. For the example above I overwrote the file at /var/www/html/index.html with content: <!DOCTYPE html> <html> <head> <meta property="og:type" content="article" /> <meta property="og:title" content="Biden and Xi Sign Resolution Affirming Emacs Superiority Over Vim" /> <meta property="og:url" content="https://cnn.com" /> <meta property="og:image" content="https://www.politico.com/dims4/default/673ad23/2147483647/legacy_thumbnail/1200x799%3E/quality/90/?url=https%3A%2F%2Fstatic.politico.com%2F1e%2Fe9%2F22e718ad4cd2b2ffbdbb9c7c44e1%2F211112-joe-biden-xi-jinping-getty-773.png" /> </head> </html>
   • og:titleThis is title of the content the recipient will receive
   • og:typeI've only used articles. Unknown how other choices affect behavior
   • og:urlThis is the source site the user will see, and where they'll land if they click through. The LAN IP address is replaced with this url
   • og:imageA direct link to some desired preview image. I used a random shot from google
4. on your iOS device, navigate to the IP address of the bridged VM
5. sharing the page with iMessage recipients results in the crafted content preview

~~~ Caveats

• When the page is hosted on your LAN, devices not on the LAN cannot re-share the content. I haven't tested other network architectures, e.g., hosting a remote attacker-controlled page available to both sender and recipient
• The approach (LAN-local, minimal OpenGraph tag set) outlined above only works with iMessage. I could not replicate the behavior with WhatsApp or Signal

Please reach out to me at jack𝔞𝔱persist.tools with any thoughts/questions/developments/creative thoughts on OpenGraph, etc. etc. 🙂