Apple

iOS Safari Flaw Allows Deceptive News Headlines in Messages

Posted on February 22nd, 2019 by

Thanks to an Apple bug, now it's easier than ever to create fake news—or at least fake news headlines that appear to come from credible sources.

The editorial team at MacRumors has discovered a bug in Safari for iOS that allows anyone to create deceptive iMessage preview links.

How does the trick work?

The mobile version of Safari (for iPhone, iPad, and iPod touch) allows users to select text from within a Web page before tapping on the Share button, as a means of highlighting a particular portion of a page for the recipient of an iMessage.

However, Apple does not limit the preview text selection to only what the browser received from the Web server, and therein lies the flaw. Users can type something into a page's search bar (or any other text field), select the text they just typed, tap the browser's Share button, and then tap the green-and-white Message icon to send it to an iMessage recipient of their choice.

Currently there is nothing to prevent a user from typing a misleading headline or other deceptive text into a field and making it part of the page preview. While MacRumors calls the flaw "fun" and notes that it can easily be exploited as a prank, we feel that all iMessage users should take caution, as the flaw could also potentially be used in more sinister attacks, for example as a means to try to get financial investors to buy or sell stocks in a panic based on false headlines.

Apple has not yet announced plans to mitigate the flaw, but presumably it will be fixed in an upcoming version of iOS.

The bug does not appear to be present in other iOS browsers we tested, or in Safari for macOS (although the Messages app on macOS will also display misleading previews sent from an iOS device). Additionally, some sites we tested such as the Forbes homepage seemed to be resistant to the page preview bug.

How can I learn more?

We'll discuss the Safari/iMessage preview bug on this week's edition of the Intego Mac Podcast, so be sure to subscribe to make sure you don't miss the latest episode. You'll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Business Administration and Computer and Information Security. His research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register, and MacTech Magazine. Look for more of Josh's security articles at security.thejoshmeister.com and follow him on Twitter. View all posts by Joshua Long →
  • Cogitate

    Tried it on several pages! Doesn’t work!
    Have latest iOS, German version