Upon hearing about some of the new features in iOS 10, I decided to check it out using the Apple Beta Software Program. There are many new features ripe for the testing, but one particular feature caught my eye: rich links in iMessages. Essentially, when you receive a URL in an iMessage, your iPhone will attempt to retrieve the website to give you a little preview.
The obvious test: can we use this as an attack vector for drive-by CSRF, targeting users of CSRF-vulnerable websites?
To answer this, I set up a little test site:
- login.php sets a cookie
- transfer.php checks if the cookie is set. If the cookie is set it redirects to yescookie.html; if the cookie is not set it redirects to nocookie.html.
First, I went through the process in Safari, and was redirected to yescookie.html.
"GET /login.php HTTP/1.1" 200 61 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit/602.1.38 (KHTML, like Gecko) Version/10.0 Mobile/14A5297c Safari/602.1" "GET /transfer.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit/602.1.38 (KHTML, like Gecko) Version/10.0 Mobile/14A5297c Safari/602.1" "GET /yescookie.html HTTP/1.1" 200 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit/602.1.38 (KHTML, like Gecko) Version/10.0 Mobile/14A5297c Safari/602.1"
Then, I sent a link to transfer.php in an iMessage to see if it would use the Safari cookies:
After a few seconds of loading, I checked my log files:
"GET /transfer.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0" "GET /nocookie.html HTTP/1.1" 200 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0"
Thank you, Apple! You did not create a new drive-by CSRF attack vector. Before you get your knickers in a twist, I did test 2nd degree CSRF as well. Same basic result.
Leave a Reply