
iMessage Preview Problems; leak your location by receiving a text message - deep_attention
https://theantisocialengineer.com/imessage-preview-problems/
======
jonknee
tl;dr iMessage now previews links automatically

> The updated iMessage loads the link preview and in essence clicks the link
> for you! That’s what irks us with this, the choice. OK we might not stop
> people clicking links anytime soon but Apple have taken this very choice
> away from us and facilitate the information leakage. The very act of
> receiving an SMS message can reveal your rough geographic location, your
> cellular operator, your current WiFi network.

~~~
spullara
What makes this more frustrating is that the link previews are a pretty
terrible user experience.

~~~
userbinator
I don't use iMessage but I've noticed this "design pattern" turning up in
various other apps, and I _hate those bloody things_. They're extremely
distracting and annoying because they often include "loud" imagery too, when
I'm only trying to read the text. I turn them off whenever I can.

------
jxy

       > Early 2016 we were the first company in the UK to offer
       > SMShing services. These SMS messages are like phishing
       > emails and contain a pretext alongside a link within the
       > message.  When a mark receives an SMS message and clicks the
       > link a host of details are available to us.
    

This kind of thing happens with email too. In Apple Mail you can disable the
loading of external contents. Does anyone know in detail how the preview in
iMessage work?

------
omarforgotpwd
Sending the requests from the client is probably not the most secure idea.
Requests should be proxied through a cloud server on Apple's end to reduce the
security risk of these previews.

~~~
simonh
As has been pointed out below, iMessages are end-to-end encrypted so Apple has
no way to read the URL to proxy it.

~~~
spullara
You could still have the client use Apple as a proxy. This would reduce the
privacy of the message but only the URL and only exposing it to specific
service at Apple. If it is a SOCKS proxy, you could reduce the exposure to
just the IP address and some amount of leakage to whatever DNS server the
phone is using.

~~~
jonknee
Why not have the sender do that work so Apple can just stay out of it?

~~~
spullara
The sender could be a dumb SMS client. I'd be happy to just turn off previews
entirely.

~~~
mhurron
Which is the right way to do it and exactly how ever email client does. Do you
want to see previews? Have the device make the request. Do you not want to see
previews? The device shouldn't make those requests.

------
sisk
Incidentally, I received a bit of iMessage spam this weekend that I looked
into. Was a series of 302s to an affiliate link. So this is actively being
used right now for financial gain.

------
jafingi
Apple should fetch the data via their servers instead of the clients'. It
leaks way too much information.

~~~
pfg
Messages are end-to-end encrypted in iMessage, meaning Apple cannot read the
message contents. This solution would require Apple to bypass that encryption
for URLs (which are often privacy-sensitive).

A good approach would be for the sender to fetch the URL and embed the preview
as metadata along with the message. The only downside is that the sender could
spoof the preview, but I think that's an acceptable trade-off here (not much
of a phishing vector when you end up loading the original site once you open
the link anyway).

~~~
mhowland
No need to do in transit. I mean iMessage could simply proxy all http/https
requests post decryption in iMessage, pre-request.

At the end of the day this privacy trade off (apple gets your browsing info)
is probably more secure than an embedded webview that could potentially be
exploited and is auto-loaded. Similar to how Chrome alerts of malicious
sites...I see this as a long term larger attack vector than privacy leakage.

~~~
pfg
The URL being disclosed to Apple was what I was getting at, which would happen
with any approach that involves Apple performing the request on behalf of the
user. I don't think the trade-off you're describing is necessary given that
the sender could prepare the preview.

------
O5vYtytb
Many comments are in regards to fixing this feature. I think this is one of
those situations where the feature (previewing links) is not a good idea in
the first place, or at least do not enable it by default.

------
diegorbaquero
What's wrong with web hosts nowadays? a few 100 users and everything dies.

Cached:
[https://webcache.googleusercontent.com/search?q=cache%3Ahttp...](https://webcache.googleusercontent.com/search?q=cache%3Ahttps%3A%2F%2Ftheantisocialengineer.com%2Fimessage-
preview-problems%2F&ie=utf-8&oe=utf-8)

~~~
throwanem
Wordpress with no caching plugin on a $5-a-month droplet, that's what. It's a
pleasant enough platform to use, but if you don't cache content and you make
the HN frontpage, you're gonna have a bad time.

~~~
circular_logic
If you are going to use a out of the box like wordpress why use a VPS instead
of a hosting provider? Purely just to store your own data?

~~~
throwanem
Probably. You can also use a VPS for more things than just Wordpress, and
shared web hosting tends to be kind of a crapshoot in any case; if you're up
to doing sysadmin work, you really are better off with a VPS, not least
because someone else's screwup is a lot less likely to impact your site.

------
digi_owl
I find myself thinking a recent story of an middle eastern human rights
activist who's iPhone was attempted hacked via a sms url. He avoided it by not
tapping the url. I do wonder if this preview "feature" will help automate
future attacks.

It seems that whenever we try to make software helpful we produce more
problems.

------
0x006A
it also happens on the macOS and there is no way to disable it.

~~~
simonh
You can disable auto-loading of images in Mail.app.

~~~
jonknee
What does that have to do with Messages?

~~~
simonh
My mistake, I though the comment was wrt mail.

------
m0r0c4sh
Well it's possible to disable imessage right?

Go to settings > messages > and disable iMessage.

That should be a temporary fix right?

------
osi
imessage won't auto-load previews until you ask it to do it the first time.

~~~
yoz-y
But there is no way to disable this once you have accepted it. I do not
actually remember having been given the choice but it has been some time so I
probably just do not remember.

Ideally one could enable previews only from contacts.

~~~
osi
correct - i couldn't find a way to disable if you've changed your mind.

