The new iMessage preview feature that gives users a quick look at weblinks reveals network and device information to servers, data that can be used for surveillance and attacks.
Internet voice services developer Ross McKillop found that iMessage preview makes requests to servers from iPhones and Mac computers running iOS 10 and macOS Sierra, rather than via proxies on Apple's network.
This means that by sending URLs to users, the automatic iMessage preview feature will show the device IP address whether the system is an iPad, iPhone or Mac, and also the version of the operating system it is running, McKillop said.
iMessage preview also returns web browser user-agent data that includes the version of Safari running on the device.
The information is provided from every device owned by the user, and can be used to determine the location of users by comparing the IP addresses presented by iMessage preview and correlating them with time stamps.
McKillop said iMessage preview could be a potential attack vector as it can identify vulnerable versions of the web browser on a device.
As previews are automatically loaded, a vulnerability in Safari could be triggered by simply sending an iMessage with a URL pointing to a malicious site, McKillop theorised.
iMessage Previews cannot be switched off, and there is no option to make requests go through a proxy server that would hide the device information.
"Hopefully Apple will either change this or make it an option to request via a proxy (enabled by default)," McKillop said.
"[However] sometimes the best solution is the most obvious; extract the metadata on the sending device (they obviously trust the URL) and encapsulate that as metadata within the message."
It is unclear whether McKillop reported the problem to Apple before disclosing it publicly.