0-click exploitation of iMessage nickname feature revealed

Apple has resolved an iMessage issue involving the Nickname Update feature that could have been exploited to trigger errors with no user interaction.

In a report published Thursday, iVerify said there is evidence to suggest the flaw was used to target the devices of high-profile individuals such as political figures, journalists, tech company executives and government officials in the United States and the European Union.

The Nickname Update feature offers users the option to send profile information such as their nickname and profile picture to other iMessage users when the “Share Name and Photo” setting is turned on. With this setting active, users will be prompted to send their nickname information when messaging someone new.

The issue could have potentially been exploited by sending nickname information to a target in rapid succession, triggering a race condition where multiple threads attempted to access the same multiple dictionaries involved in the Nickname Update process within the same timeframe.

This use-after-free (UAF) error could trigger a crash of the “imagent” process, which handles iMessage traffic, and iVerify noted it could also potentially be exploited for controlled memory corruption that helps facilitate code execution. No interaction from the receiving user is needed to receive and process Nickname Update information, making this issue a potential zero-click exploit.

Crash logs that led iVerify to uncover this error indicate the issue would have only been present between iOS versions 17.2.1 through 18.1.1, with the issue already fully fixed by 18.3. The 18.3 iOS version uses immutable copies of nickname-related dictionaries when processing updates, preventing the race condition form occurring.

Also noted in the crash logs was the rarity of this particular memory corruption error triggered by nickname updates, making up only about 0.0016% of crashes detected in iVerify’s telemetry. These rare crashes disproportionally affected high-profile individuals, pointing to potential deliberate exploitation of the flaw in attacks against these individuals.

Further corroborating this theory is the fact that one of the affected individuals, a senior EU government official, received an Apple Threat Notification thirty days after such a crash occurred. Another affected individual noted being physically surveilled and observing other anomalous device behavior around the time of the crash.

iVerify found suspicious modifications to SMS attachment directories about 20 seconds after a crash on one of the affected devices, indicating potential clean-up behavior by a malicious actor. However, the researchers also noted the possibility that these crashes were incidental to separate exploit chain, such as an attack where several messages were sent in quick succession, inadvertently triggering the crash.

At the time of publishing Apple had yet to respond to a request for comment.