Monday, October 14, 2024

Fake Safari Link Sharing Text

Joshua Long:

For nearly six years, Apple has neglected to fix a bug that enables anyone to effectively create false or misleading news headlines that appear to come from credible sources.

[…]

Apple’s Safari browser includes a feature related to link sharing. If you select (highlight) text within a Web page and then tap on the Share button, you can “quote” the selected portion of the page for the recipient when you share the link via Apple’s Messages app. The feature is intended to allow users to include a direct quote from an article, embedded within the iMessage link preview.

However, Apple does not limit the preview text selection to the contents of the page as received from the Web server—and therein lies the flaw.

Users can type something into a page’s search bar (or any other text field), select the text they just typed, tap Safari’s Share button, and then tap the green-and-white Messages icon to send it to any iMessage recipient—either an individual or a group.

5 Comments RSS · Twitter · Mastodon


Since it seems like this would be an easy thing for Apple to fix—by simply disallowing user-input fields to be quoted as part of a link preview—it’s difficult to imagine why Apple has allowed the flaw to persist for nearly six years after its discovery.

I can simply change the body text on a website from the inspector and quote that. Or, the same people who would be taken in by a faked quote link would be fooled by a screenshot of the same; as an attack it relies on receivers not to click and verify. The threat is overblown ("We have not received confirmation of this flaw being exploited for malicious purposes in real-world attacks") and the proposed solution is deficient. The actual problem here is that this was a bad feature to add to Messages in the first place, and should be removed.


@vintner Presumably they could disable sharing of modified pages.


Sébastien LeBlanc

Is this really an issue ? I'm pretty sure this is intentional due to client-side rendering like a React app.


The issue here is how this is presented to the recipient. Usually, when you share a quote from an article in a message, it's shared as part of your message. If there is any text shown outside your message, it's loaded automatically from the original website by the messaging app, with you having no input on what exactly is shown.

For the recipient, this message looks like it's the latter, but it's actually the former. It looks trustworthy when it's not.

Is this the world's biggest issue, given all the fake news, selectively edited quotes, and other garbage people keep sharing, including ostensibly smart people? No. Is it something Apple should probably fix? I think so.


@Michael Tsain- the issue is, no user would be able to share even either using things like StopTheMadness or AdBlocker, which inherently modify the web.

Leave a Comment