So, iMessage has a handy new feature - both on iOS and MacOS - where if you send someone a URL it will extract some metadata from this URL and display it as a clickable link;

You'll be used to this behaviour if you use Facebook or Slack, as it provides useful meaningful content for a link.

However, there's a big difference between their implementation and iMessage.

When you use Facebook or Slack, the website you've linked to will see a request from Facebook or Slack's servers.

Information Leakage

iMessage makes a request from the device itself which reveals some significant information;

  • The target's IP address
  • The target's device type (iPad, iPhone, Mac)
  • The OS version

Also, you'll receive this request from each device the target has, allowing you to extrapolate additional information - for example determine if they're at home (for example, does their Mac and iPhone respond from different IPs), physical location (e.g. if a foreign mobile network IP appears) etc

For example my test returned these two useragents (from my Mac and iPhone);

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0"

Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A456 Safari/602.1

Potential Attack Vector

As this request is clearly being made, and parsed, by Safari from the User-Agent string it's reasonable to believe that there is potential that an exploit found in Safari could be triggered without the target even browsing to the site, simply by sending them an iMessage containing that URL.

Solution

There is no way to switch off this automatic request behaviour, therefore no way to disable this. Hopefully Apple will either change this or make it an option to request via a proxy (enabled by default)

I do, however, accept there are times when having it query based on the users' own device is beneficial (e.g. corporate internal links being sent between employees using the same VPN)

Another Solution - Thanks RevK!

Sometimes the best solution is the most obvious; extract the metadata on the sending device (they obviously trust the URL) and encapsulate that as metadata within the message.