If you've sent or received any links through iMessage recently you've probably noticed that they're presented in a more appealing manner than before, providing a clickable link, an image and text extracted from the URL.
That's something other services like Facebook and Slack also do, but according to Ross McKillop (a developer), iMessage handles this in a rather different, and far less secure way.
When using Facebook for example, the website you're linking to will see a request from Facebook, but when using iMessage the website will get the request direct from your device, revealing your IP address, device type and operating system.
That might not sound so bad, but, as McKillop points out, the request will be sent from every device that you have running iMessage, allowing the website to get an idea of your location. For example, if your iPhone and Mac respond from different IP addresses you're probably out.
Even more troubling though is that McKillop believes that with URLs being sent this way, exploits found in Safari could potentially be triggered simply by sending someone an iMessage with the affected URL, with no requirement for the recipient to actually click the link.
There's also no way to disable this, so if McKillop is right it's down to Apple to fix it, hopefully before someone finds a way to fully exploit the issue.
We have contacted Apple to ask if it's aware of this potential vulnerability, and whether a fix is in the pipeline. We'll update this article once we get a response.
Via The Register