An iMessage 'text bomb' is floating around that can freeze your iPhone (or Mac)

iMore ^ | January 17, 2018 | By TORY FOULK

[Swordmaker]

A bug publicly released by a developer can freeze — and possibly crash — your device if you open it in Messages.

According to an article by Nicole Nguyen at Buzzfeed, yesterday afternoon software developer Abraham Masri publicly posted the bug — a security vulnerability called "chaiOS" that he found while attempting to break the operating system via "fuzzing" — to Github. Fuzzing is essentially a way of testing for vulnerabilities that involves putting way too much data into a system in order to crash it.

👋 Effective Power is back, baby!

chaiOS bug:
Text the link below, it will freeze the recipient's device, and possibly restart it. https://t.co/Ln93XN51Kq

⚠️ Do not use it for bad stuff.
----
thanks to @aaronp613 @garnerlogan65 @lepidusdev @brensalsa for testing!— Abraham Masri (@cheesecakeufo) January 16, 2018

Here's how the bug works according to Buzzfeed's piece:

When someone texts you a link to a website through Messages in iOS, the app generates a preview of the link. Apple's software guidelines allow developers to insert a small amount of characters into their website's HTML to customize the image and title of that link preview. Instead of a small amount of characters, Masri inputted hundreds of thousands of characters into a webpage's metadata, much more than the operating system expects, which Masri suspects is why Messages crashes. He then hosted the bug's code on Github, which made it available for other people to use.

What really, really sucks? Once someone sends you the link to the page with tons of extra characters in its metadata through Messages, it will crash your phone, even if you don't click it or interact with it in any way. This basically means that all someone needs to freeze up your device for a few minutes (if not break it completely) is your phone number. Masri says the bug can also affect Macs.

Twitter user @aaronp613, one of the testers of the bug, spoke with Buzzfeed about what happens after the link is sent:

The device will freeze for a few minutes. Then, most of the time, it resprings.

Aaron then told Buzzfeed that once your phone reboots, the Messages app still won't load and will continue to crash. He also reported that the bug affects iOS versions 10.0 through 11.2.5 beta 5, though he has yet to tested it on iOS 11.2.5 beta 6 — the latest beta — which was released this earlier today.

The Github page hosting the code for the chaiOS vulnerability has been taken down and Masri's account has been suspended since he posted the link on Twitter. However, that doesn't mean that it's gone for good — because Masri's Github was open to the public, it's likely that someone else has already re-copied it and posted it elsewhere.

Masri stated in his chat with Buzzfeed that he has reported the bug to Apple, and that releasing it was to get Apple's attention as the company reportedly routinely ignores his reports:

My intention is not to do bad things. My main purpose was to reach out to Apple and say, 'Hey you've been ignoring my bug reports.' I always report the bug before releasing something.

And it seems it worked — Apple confirmed to Buzzfeed that a fix for the bug is currently in the works, and will be released in an update next week. There is no word about whether or not Apple has responded to Masri directly, however.

So what can I do?

Basically, be vigilant. If you see that you've received a link you don't recognize that you think may be running the chaiOS bug, delete it immediately (if you're able). However, that may not be possible, because in some cases Messages will crash before you're even able to open it. If you're not able to open the messages app whatsoever due to the bug, you may consider resetting your phone to its factory settings by doing a full restore. However this will delete your photos and anything else saved to your device.

Outside of that, it's always a good idea to make sure your phone is running the latest version of iOS — Apple routinely fixes vulnerabilities in updates, and this is no different. Definitely update to the newest iOS as soon as you're able.

For more information regarding the chaiOS bug, you can check out Buzzfeed's article.

[Swordmaker]

A bug in iMessage can cause it to crash when a message with a link to an image with hundreds of thousands of characters in the meta data. This can also cause the iOS device or even a Mac to crash and restart. If you receive an iMessage with an unexpected link, don't open it. Apple is preparing a fix for this bug. — PING!

Apple iMessage Bug Can Cause Crash
Ping!

The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.

If you want on or off the Mac Ping List, Freepmail me

[Ingtar]

That damn Micros... oh.

[JimRed]

So what can I do?

If you know someone sending these assaults to anyone else, be sure that he has a little "accident" that will leave him unable to use those offending fingers to type out any more "bugs"!

[JimRed]

Definitely update to the newest iOS as soon as you're able.

Mine has required me to update several times in the past couple of months. Hope that's what they were covering.

[Irish Eyes]

Do you suggest breaking fingers or just cutting them off?

[a fool in paradise]

Because only telemarketers who spoofing phone numbers, not hackers, right?

Spoofing IS hacking.

[Mark17]

Do you suggest breaking fingers or just cutting them off?

Break them first, then cut them off. 😄

[roadcat]

If you're not able to open the messages app whatsoever due to the bug, you may consider resetting your phone to its factory settings by doing a full restore. However this will delete your photos and anything else saved to your device.

I always tell people to back up their devices. Frequently. I've had to help people by recovering their precious photos and important data, and they hadn't backed up their data. If it's important, it should be backed up to a safe place.

[Swordmaker]

Mine has required me to update several times in the past couple of months. Hope that's what they were covering.

No, the fix for this newly discovered bug is due next week. In the meantime, don't open a link in an iMessage from someone you don't recognize or from someone who is prone to nasty practical jokes.

[Swordmaker]

Do you suggest breaking fingers or just cutting them off?

Drawing and quartering is well thought of in some areas. . . personally I prefer to run them through a meat grinder.

[FreedomPoster]

I see you have similar thoughts as I regarding malicious hackers. Also telemarketers and other spammers, for me. You?

[Irish Eyes]

;)

[Garth Tater]

"In the meantime, don't open a link in an iMessage from someone you don't recognize or from someone who is prone to nasty practical jokes."

Or maybe just keep your phone turned off for the next week.

From the article:

"Once someone sends you the link to the page with tons of extra characters in its metadata through Messages, it will crash your phone, even if you don't click it or interact with it in any way."

[PAR35]

The guy needs about 99 years in prison to consider his actions.

Then he should be punished.