please read on desktop...
...or access post pdfs in the directory
iMessage and OpenGraph for Fun and Profit
Purpose and motivation
What if we clicked beyond sensationalist headlines? What if we — with our many collective years of network and web security experience — enforced verification by both client and server, or sender and recipient? The world would probably be way less fun, because today we can forge arbitrary and convincing iMessage link previews (ostensibly from sources like CNN, BBC, or the Federal Reserve) with four html tags.
I'm also guilty of sensationalizing here. This is more of a gag than anything — and consists purely of misuse as opposed to any kind of exploitation. It does however raise questions as to how we should handle OpenGraph and similar standards going forwards. I'm picking on iMessage because it's the worst offender I identified during some poking around.
At the very least, you can test who among your circle actually clicks past iOS link previews.
In short, we're serving bad content from an iOS device visiting an attacker-controlled webpage. Receiving iOS devices trust the bad content by default. This example uses a bridged VM accessible on your LAN, but hypothetically any page you can 1) hit from your attacker iOS device and 2) exercise control over will work.
- Ubuntu 18.04.6 guest running in VirtualBox, with bridged networking
- Apple mobile device running iOS 16
- I'm disabling AP isolation so the mobile device can talk to the VM. This isnt't necessary for an internet-accessible page.
- boot the VM with the live ISO - make sure to select bridged networking so the guest is assigned a distinct IP
open a shell in the VM and install apache2:
sudo apt update && sudo apt install -y apache2
overwrite the apache default landing page with a crafted, minimal set of OpenGraph tags. For the example above I overwrote the file at /var/www/html/index.html with content:
<meta property="og:type" content="article" />
<meta property="og:title" content="Biden and Xi Sign Resolution Affirming Emacs Superiority Over Vim" />
<meta property="og:url" content="https://cnn.com" />
<meta property="og:image" content="https://www.politico.com/dims4/default/673ad23/2147483647/legacy_thumbnail/1200x799%3E/quality/90/?url=https%3A%2F%2Fstatic.politico.com%2F1e%2Fe9%2F22e718ad4cd2b2ffbdbb9c7c44e1%2F211112-joe-biden-xi-jinping-getty-773.png" />
- og:titleThis is title of the content the recipient will receive
- og:typeI've only used articles. Unknown how other choices affect behavior
- og:urlThis is the source site the user will see, and where they'll land if they click through. The LAN IP address is replaced with this url
- og:imageA direct link to some desired preview image. I used a random shot from google
on your iOS device, navigate to the IP address of the bridged VM
sharing the page with iMessage recipients results in the crafted content preview
Please reach out to me at jack𝔞𝔱persist.tools with any thoughts/questions/developments/creative thoughts on OpenGraph, etc. etc. 🙂
- When the page is hosted on your LAN, devices not on the LAN cannot re-share the content. I haven't tested other network architectures, e.g., hosting a remote attacker-controlled page available to both sender and recipient
- The approach (LAN-local, minimal OpenGraph tag set) outlined above only works with iMessage. I could not replicate the behavior with WhatsApp or Signal