Thanks to an Apple bug, it's now easier than ever to make fake news or at least fake news headlines that seem to come from credible sources.
The editorial team at MacRumors has discovered a bug in Safari for iOS that allows anyone to create misleading iMessage preview links.
How does the trick work?
The mobile version of Safari (for iPhone, iPad and iPod touch) allows users to select text from a web page before they click the Share button, as a means of marking a particular part of a page for the recipient of an iMessage.
However, Apple does not limit the preview text selection to only what the browser received from the web server and where the error is located. Users can type something into a page's search box (or another text field), select the text they just wrote, tap the browser's Share button, and then click the green and white message icon to send it to an iMessage recipient of their election.
Currently, nothing prevents a user from writing a misleading headline or other deceptive text into a field and making it part of the preview page. While MacRumors calls the error "funny" and notes that it can be easily exploited as a prank, we feel that [i] message users should be cautious, as the error can also be used in more vicious attacks for example as a means to try to get financial investors to buy or sell stocks in panic based on fake headlines.
Apple has not yet announced plans to reduce the error, but it will probably be resolved in a forthcoming version of iOS.
The error does not appear to be present in other iOS browsers we tested, or in Safari for macOS (although the Message app on macOS also displays misleading previews sent from an iOS device). In addition, some sites that we tested, such as the Forbes website, seemed resistant to the preview page for the page.
How can I learn more?
We're discussing the Safari / iMessage preview snap in this week's edition of Intego Mac Podcast so be sure to subscribe to not miss the latest episode. You will also subscribe to our email newsletter and keep an eye on Mac Security Blog for updates.
About Joshua Long
Joshua Long ( @theJoshMeister ), Intego's Chief Security Analyst, is a renowned security researcher and author. Josh holds a master's degree in IT that focuses on Internet security and has taken doctoral studies in business administration and computer security. His research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register and MacTech Magazine. Look for more of Josh's security articles on security.thejoshmeister.com and follow him on Twitter .
View all posts by Joshua Long →