A software developer experimenting with the iPhone's internal software has come upon a vulnerability in the OS that could send your Messages app to continually crash if you are sent a link to a specific Github website. The scary part is that you don't even have to click the link for it to affect the device.
Abraham Masri found the bug, dubbed "chaiOS", while trying to break the OS. He succeeded by inserting hundreds of thousands of characters into a web page's metadata - much more than the limited number expected by the iOS. When the link to the page is sent, the iMessage generates a preview on the receiving device, which is when the problems begin.
A Twitter user named @aaronp613, who helped Masri test the bug on various Apple devices, told Buzzfeed that “The device will freeze for a few minutes. Then, most of the time, it resprings.” From there, he said, the app won't load any messages and will continue to crash.
The bug was tested on an iPhone X and iPhone 5s, and affects all iOS versions from 10.0 through 11.2.5 beta 5. It has not been tested on iOS 11.2.5 beta 6, which came out today. Masri also said it affects macOS as well.
Masri tweeted out his findings and a link to the Github page where he uploaded the code. However, Github wasn't too happy and took down the page, while also suspending Masri's account.
The bug I released was to get @Apple's attention. It's just an html file.@Github always hosted jailbreaks (even .ipa files) that might've included malware. I don't understand why you'd ban my account.
— Abraham Masri (@cheesecakeufo) January 17, 2018
Btw, I always report bugs before releasing them.
While he may have wanted to get Apple's attention, it also gave others the chance to grab the code before the Github page was taken down, meaning more opportunities for malicious hacks to mess with unsuspecting users. Masri said that if you receive a link that you don't immediately recognize from someone you don't know, delete the thread immediately.
You can also block the Github domain in Safari, but that won't work if someone has posted the code on a different domain.
Apple has yet to respond to the bug, but give the severity, it could be addressed in a security update soon.
Update: Apple has told Buzzfeed that a fix is coming in an update next week.
16 Comments - Add comment