Phishing in iOS 10 and macOS Sierra

Cross Site Request Forgery (CSRF) is ranked as the third most critical web application flaw in OWASP as of 2013 (the 2016 data call is out now and I bet CSRF is not going anywhere).

While CSRF vulnerability isn't a paticularly hard problem to solve, it's becoming even more prevalent in the world of micro services.

How it works

Imagine you belong to Bank Of Mars and you want to transfer 100 martian dollars to your friend.

You first authenticate to Bank of Marse with your username and password. A cookie is saved in your browser with your Session-ID so you don't have to type in your password every time you click on a link.

You navigate to "Transfer Funds to Friends and Family" tab and choose to send mony to Alice.

Appon selecting Alice and filling in the amount, you click submit.

A GET request is sent to the server with the fullowing URL

GET https://bankofmars.com/pay?user=alice&amount=100

Notice how both Alice and 100 appear in the URL.

Now an attacker can phish you by sending you a link that is descised as something else.

For instance: Click here to see who's been looking at your Facebook profile

Hopefully you didn't click that, but if you did and you happened to be a customer of Bank of Mars (and you were logged into to the Bank of Mars), you would have given TheHacker one million dollars.

The problem with iOS and macOS Sierra

In an effort to make the device easier to use, apple has opted to provide a very pretty preview card of the url sent to you using iMessage.

For instance if you send some one a link to

http://www.npr.org/

they get something like this.

iMessage preview example

But say we shared the link

http://www.npr.org/people/6597623/guy-raz

iMessage deep link preview

Notice how in both examples, the only identifying information about the site npr.org.

No protocal denoted

My bigest problem with this, the protocal is missing. Without knowing if I'm accessing an SSL site, I might fall victim to much more than CSRF.

No paths identified

I might be willing to click on a link that will take me to the home page of a site over a link with a path and even worse, url parameters.

No way to copy it and examin the link

By 3D touching the image to bring up the "Copy" menu, the page renders itself, executing its scripts.

Now let's look at the backend

When the preview loads, the same query is sent to the back. As if you were loading the page

The question remians, does the preview from iMessage have access to Safari's cookie store?

Code:

With the following code, I visited the page in question on safari. Since I've never visited this page on Safari, I was greeded with the following:

Upon a refresh, I was greeted with

Now the question is, what will iMessage load?

As expected, iMessage on macOS opened the default browser to the requested page which displayed the sessionID. This demonstrates that an attacker could send specially crafted links, the user could be fooled to click on it.

On macOS, if you simply hover over the link, you can see the full link. However, I believe that by providing this "feature", apple is is training users to simply click on the link

The same is true on iOS, by doing a long press (not 3D touch) a user can see the full url. However, intresting enough, Messages on iOS seems to have a cache seprate from the main safari browser. A cache that I could not erase.

The following gif shows a preview of the domain that I previewd within the messages app; hence it has the session id. However, when visiting Safari (after I had cleared the cache) the page has no cookies to display.

While Apple provides some ways of getting the full URL before clicking on the preview, they are often hard to obtain.

For instance, doing a "long press" and "3D touch" on iOS is not different enough to where the user wouldn't accidently "3D touches" and activates the preview causing the page to execute, or even worse, 3D touches again and the page opens with the Safair Cookie's loaded.


October 10 2016