CVE-2016-1764

MEDIUM

Apple OS X <10.11.4 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-1764. PoCs published by moloch--, dark-vex.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2016-1764, which leverages a JavaScript URI XSS vulnerability in the OS X Messages app to exfiltrate plaintext iMessage data and attachments via XMLHttpRequest to file:// URIs. The PoC includes detailed technical analysis, payload generation, and a server-side extraction script.

Description

The Content Security Policy (CSP) implementation in Messages in Apple OS X before 10.11.4 allows remote attackers to obtain sensitive information via a javascript: URL.

Exploits (2)

nomisec WORKING POC 51 stars

by moloch-- · poc

https://github.com/moloch--/cve-2016-1764

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2016-1764, which leverages a JavaScript URI XSS vulnerability in the OS X Messages app to exfiltrate plaintext iMessage data and attachments via XMLHttpRequest to file:// URIs. The PoC includes detailed technical analysis, payload generation, and a server-side extraction script.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Apple Messages (iMessage) on OS X Mountain Yosemite, El Capitan

No auth needed

Prerequisites: Victim must click a malicious JavaScript URI link sent via iMessage · Attacker must know the full path to target files (no relative paths)

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC 2 stars

by dark-vex · pythonpoc

https://github.com/dark-vex/CVE-PoC-collection/tree/master/CVE-2016-1764

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2016-1764, which leverages a JavaScript URI XSS vulnerability in the OS X Messages app to exfiltrate plaintext iMessage data and attachments via XMLHttpRequest to a remote server. The exploit bypasses the same-origin policy in the embedded WebKit instance, allowing file reads from the local filesystem.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Messages (iMessage) for OS X (Mountain Lion, Yosemite, El Capitan)

No auth needed

Prerequisites: Victim must click a malicious JavaScript URI link sent via iMessage · Attacker must know the full path to the victim's chat.db file

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT206167

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1035363

Scores

CVSS v3 4.3

EPSS 0.0265

EPSS Percentile 83.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Details

CWE

CWE-200

Status published

Products (1)

apple/mac_os_x < 10.11.3

Published Mar 24, 2016

Tracked Since Feb 18, 2026