iOS10 iMessage Drive-By CSRF? …No!

Upon hearing about some of the new features in iOS 10, I decided to check it out using the Apple Beta Software Program. There are many new features ripe for the testing, but one particular feature caught my eye: rich links in iMessages. Essentially, when you receive a URL in an iMessage, your iPhone will attempt to retrieve the website to give you a little preview.

IMG_5436

The obvious test: can we use this as an attack vector for drive-by CSRF, targeting users of CSRF-vulnerable websites?

To answer this, I set up a little test site:

  • login.php sets a cookie
  • transfer.php checks if the cookie is set. If the cookie is set it redirects to yescookie.html; if the cookie is not set it redirects to nocookie.html.

First, I went through the process in Safari, and was redirected to yescookie.html.

"GET /login.php HTTP/1.1" 200 61 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit/602.1.38 (KHTML, like Gecko) Version/10.0 Mobile/14A5297c Safari/602.1"
"GET /transfer.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit/602.1.38 (KHTML, like Gecko) Version/10.0 Mobile/14A5297c Safari/602.1"
"GET /yescookie.html HTTP/1.1" 200 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit/602.1.38 (KHTML, like Gecko) Version/10.0 Mobile/14A5297c Safari/602.1"

Then, I sent a link to transfer.php in an iMessage to see if it would use the Safari cookies:

IMG_5435

After a few seconds of loading, I checked my log files:

"GET /transfer.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0"
"GET /nocookie.html HTTP/1.1" 200 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0"

Thank you, Apple! You did not create a new drive-by CSRF attack vector. Before you get your knickers in a twist, I did test 2nd degree CSRF as well. Same basic result.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: