iMessage Preview Problems; leak your location by receiving a text message
theantisocialengineer.comtl;dr iMessage now previews links automatically
> The updated iMessage loads the link preview and in essence clicks the link for you! That’s what irks us with this, the choice. OK we might not stop people clicking links anytime soon but Apple have taken this very choice away from us and facilitate the information leakage. The very act of receiving an SMS message can reveal your rough geographic location, your cellular operator, your current WiFi network.
What makes this more frustrating is that the link previews are a pretty terrible user experience.
I don't use iMessage but I've noticed this "design pattern" turning up in various other apps, and I hate those bloody things. They're extremely distracting and annoying because they often include "loud" imagery too, when I'm only trying to read the text. I turn them off whenever I can.
It's an unusual and disappointing error on Apple's part. I wouldn't be surprised to see it corrected in the first iOS 10 update. (And this is why we never install the .0 version of anything, and counsel our friends and loved ones likewise.)
never install the .0 version of anything
We're already on 10.0.2, so we've already had a few updates.
Are we? Go figure - I've been getting the installer popups from Springboard for a while, but I guess it doesn't show minor versions if the major versions differ; it's just been saying "iOS 10", and I took that to mean no patches had been released.
So I suppose I should say rather I would expect to see it corrected in iOS 10.1, at latest.
iOS 10.0.1 was the first public release of iOS 10; iOS 10.0.2 was a patch released a couple weeks afterwards fixing some bugs with Photos, app extensions, and the lightning 3.5mm adapter. (10.0 was not released to the public in any form-- probably some critical issue was discovered late in testing after 10.0 had been tagged internally but before the GM seed of 10.0.1 was released to developers.)
This sort of change (fixing link previews) is similar in scope to changes Apple's made in micro (0.0.1) releases before. Whether it happens in a micro release or wait until 10.1 (or even change anything at all) really depends on how important Apple thinks the issue is.
At any rate, I doubt the feature is going away completely (link previews were a flagship iOS 10 feature): at best, I'd expect a "Automatically preview links" checkbox in Settings, just like external image downloads in Mail.
I would have figured Apple proxied the preview to their own URL crawler which could automagically pluck the best preview image, similar to the magic that FB / Slack do when sharing a link. This would mask the IP / Geo and Apple could cache a preview image.
It would also expose any URL you send or receive via iMessage to Apple, whereas messages are otherwise end-to-end encrypted.
ah good point
> Early 2016 we were the first company in the UK to offer
> SMShing services. These SMS messages are like phishing
> emails and contain a pretext alongside a link within the
> message. When a mark receives an SMS message and clicks the
> link a host of details are available to us.
Sending the requests from the client is probably not the most secure idea. Requests should be proxied through a cloud server on Apple's end to reduce the security risk of these previews.
As has been pointed out below, iMessages are end-to-end encrypted so Apple has no way to read the URL to proxy it.
You could still have the client use Apple as a proxy. This would reduce the privacy of the message but only the URL and only exposing it to specific service at Apple. If it is a SOCKS proxy, you could reduce the exposure to just the IP address and some amount of leakage to whatever DNS server the phone is using.
Why not have the sender do that work so Apple can just stay out of it?
The sender could be a dumb SMS client. I'd be happy to just turn off previews entirely.
Which is the right way to do it and exactly how ever email client does. Do you want to see previews? Have the device make the request. Do you not want to see previews? The device shouldn't make those requests.
I think the idea then would be you'd only ever show embedded previews, so URLs from dumb SMS senders just wouldn't have a preview.
OK, so just limit it to iMessage users like a lot of other iMessage features.
The client can still ask the Apple server for the metadata, since Apple already knows your IP from the push notification channel anyway. Ideally Apple would ensure that this lookup is not logged or stored in any way so there's no repository of the links people have sent to you anywhere.
The client could send the request to Apple though, and pass the URL through that way, instead of requesting the actual URL. There's a trade-off there though that Apple gets to see all the links being sent over iMessage.
> There's a trade-off there though that Apple gets to see all the links being sent over iMessage.
Exactly, this is what all the other replies saying 'just proxy the client URL call through Apple' are missing. It's not just that the iMessage was encrypted. There's also _why_ it is encrypted in the first place.
There have been zero-days in the past that only require loading a website, right? So loading links automatically should be a massive concern for iOS security. Back in August, when zero-days used by the NSO Group were discovered, it was only because activist Ahmed Mansoor didn't click on a link in a text message. https://citizenlab.org/2016/08/million-dollar-dissident-ipho...
Incidentally, I received a bit of iMessage spam this weekend that I looked into. Was a series of 302s to an affiliate link. So this is actively being used right now for financial gain.
Apple should fetch the data via their servers instead of the clients'. It leaks way too much information.
Messages are end-to-end encrypted in iMessage, meaning Apple cannot read the message contents. This solution would require Apple to bypass that encryption for URLs (which are often privacy-sensitive).
A good approach would be for the sender to fetch the URL and embed the preview as metadata along with the message. The only downside is that the sender could spoof the preview, but I think that's an acceptable trade-off here (not much of a phishing vector when you end up loading the original site once you open the link anyway).
No need to do in transit. I mean iMessage could simply proxy all http/https requests post decryption in iMessage, pre-request.
At the end of the day this privacy trade off (apple gets your browsing info) is probably more secure than an embedded webview that could potentially be exploited and is auto-loaded. Similar to how Chrome alerts of malicious sites...I see this as a long term larger attack vector than privacy leakage.
The URL being disclosed to Apple was what I was getting at, which would happen with any approach that involves Apple performing the request on behalf of the user. I don't think the trade-off you're describing is necessary given that the sender could prepare the preview.
> Messages are end-to-end encrypted in iMessage, meaning Apple cannot read the message contents.
Ha. Cute.
Many comments are in regards to fixing this feature. I think this is one of those situations where the feature (previewing links) is not a good idea in the first place, or at least do not enable it by default.
What's wrong with web hosts nowadays? a few 100 users and everything dies.
Cached: https://webcache.googleusercontent.com/search?q=cache%3Ahttp...
Wordpress with no caching plugin on a $5-a-month droplet, that's what. It's a pleasant enough platform to use, but if you don't cache content and you make the HN frontpage, you're gonna have a bad time.
If you are going to use a out of the box like wordpress why use a VPS instead of a hosting provider? Purely just to store your own data?
Probably. You can also use a VPS for more things than just Wordpress, and shared web hosting tends to be kind of a crapshoot in any case; if you're up to doing sysadmin work, you really are better off with a VPS, not least because someone else's screwup is a lot less likely to impact your site.
Any experience how many users you get from the front page? I guess there are a lot more clicks than comments, so it could've been 10k-100k?
Should of course still be no problem for any server that serves cached content, but somehow that number of requests brings down a fair amount of frontpage posts..
I find myself thinking a recent story of an middle eastern human rights activist who's iPhone was attempted hacked via a sms url. He avoided it by not tapping the url. I do wonder if this preview "feature" will help automate future attacks.
It seems that whenever we try to make software helpful we produce more problems.
it also happens on the macOS and there is no way to disable it.
You can disable auto-loading of images in Mail.app.
What does that have to do with Messages?
My mistake, I though the comment was wrt mail.
Well it's possible to disable imessage right?
Go to settings > messages > and disable iMessage.
That should be a temporary fix right?
imessage won't auto-load previews until you ask it to do it the first time.
But there is no way to disable this once you have accepted it. I do not actually remember having been given the choice but it has been some time so I probably just do not remember.
Ideally one could enable previews only from contacts.
correct - i couldn't find a way to disable if you've changed your mind.