Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Researchers Detail Critical iMessage Vulnerability

Google Project Zero security researchers have published technical details on an iMessage vulnerability addressed last year, which could be exploited remotely to achieve arbitrary code execution. 

Google Project Zero security researchers have published technical details on an iMessage vulnerability addressed last year, which could be exploited remotely to achieve arbitrary code execution. 

Tracked as CVE-2019-8641, the vulnerability is considered Critical, featuring a CVSS score of 9.8, and was discovered by Google Project Zero security researchers Samuel Groß and Natalie Silvanovich

In September 2019, Apple announced that the release of iOS 12.4.2 for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation addressed this vulnerability: “An out-of-bounds read was addressed with improved input validation.”

The vulnerability, which was also addressed in macOS Mojave 10.14.6, watchOS 5.3.2, and tvOS 12.4, could be exploited by a remote attacker to cause unexpected application termination or arbitrary code execution. 

According to Project Zero’s security researchers, Apple actually started pushing patches for it in August 2019, with the release of iOS 12.4.1, which included hardening to prevent the remote exploitation of the bug. 

Groß has now provided further details on the vulnerability, explaining that exploitation could allow an attacker who knows the user’s Apple ID (mobile phone number or email address) to gain control over an iOS device within a few minutes. 

The attacker would then be able to exfiltrate files, passwords, authentication codes, emails, SMS and other messages, and other data. Moreover, they could spy on the user using the device’s microphone and camera, all without user interaction or visual indicator.

By exploiting CVE-2019-8641, the attack bypasses ASLR, then executes code on the device outside of the sandbox, Groß explains. Proof-of-concept (PoC) code targeting the iPhone XS on iOS 12.4 was published on the Project Zero issue 1917 discussion board.

To prevent abuse, the PoC deliberately alerts the victim of the ongoing attack and does not achieve native code execution, but skilled attackers will likely have no difficulties tailoring it to their needs (likely, they already have the capacity to target the flaw, the researcher says). 

iMessages, Groß explains, pass through multiple services and frameworks before the user is notified and the messages written to database. The remote attack surface includes the iMessage data format and the NSKeyedUnarchiver API, which can be triggered both sandboxed (imagent) and unsandboxed (SpringBoard). 

CVE-2019-8641 resides in the NSKeyedUnarchiver component and an attacker can trigger it by sending a crafted payload via an iMessage. On the receiver’s device, the data in the ati field is decoded using the NSKeyedUnarchiver API and the flaw is triggered during the unarchiving of an NSSharedKeyDictionary. 

The security researchers discovered that, during unarchiving, cyclic object graphs can be decoded, meaning that an object can be referenced while being unarchived further up in the callstack. With the object not yet fully initialized when it is referenced, a memory corruption appears during deserialization. 

To address the flaw, Apple first made the vulnerable code unreachable over iMessage (in iOS 12.4.1), but then fully addressed the vulnerability in subsequent updates. As of iOS 13, the decoding of NSKeyedUnarchiver only happens in the sandboxed IMDPersistenceAgent, but not in SpringBoard. 

In a talk a SecurityWeek’s 2019 CISO Forum, Presented by Intel, Silvanovich discussed Project Zero’s research into iMessage and their research methodology, along with what there is to learn from vulnerabilities in commonly-used software.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.