March 30, 2013
Not a week after resolving a serious password security hole, it seems that Apple's security team has yet another issue to be occupied with. This time, the issue at hand has to do with Apple's cross-device messaging platform, iMessage. As reported by The Next Web, several well-known iOS developers have become targets of what appears to be denial of service (DoS) attacks launched by at least one spammer through iMessage:
The attacks hit at least a half-dozen iOS developer and hacker community members that we know of now, and appear to have originated with a Twitter account involved in selling UDIDs, provisioning profiles and more that facilitate in the installation of pirated App Store apps which are re-signed and distributed.The attacks are accomplished by sending a quick succession of messages via iMessage. These messages, which are supposedly sent automatically from the OS X Messages app with the aid of an AppleScript, can arrive at such a high rate that they completely crash the recipient's Messages app on OS X and even on iOS, as in Grant Paul aka chpwn's case:
It's highly likely that the spammer managed to reach the affected developers through iMessage using only their email addresses. As you may already know, iMessage basically works with users' email addresses, with the addition of phone numbers for iPhone users. And as we all know, other people's email addresses are easier to guess or get ahold of than their phone numbers. In any case, here's hoping Apple's security team finds a viable solution right away, short of having users remove their compromised email addresses and phone numbers altogether from iMessage.
The iMessage spammer has now completely locked me out of my iOS Messages app, by sending long strings of Unicode chars. Definitely a DoS.— Grant Paul (chpwn) (@chpwn) March 29, 2013