Software developer Abraham Masri found the bug, called “chaiOS,” along with posted of which on GitHub Tuesday afternoon. Masri told BuzzFeed News of which he found the vulnerability while “fuzzing with the operating system.” In some other words, he was trying to break the operating system by inputting random characters into its internal code.
Someone who wants to troll you just needs your phone number to do so. The bug requires no action coming from you to do damage.
Twitter user @aaronp613, who tested the bug, told BuzzFeed News of which after the link is actually sent, “The device will freeze for a few minutes. Then, most of the time, of which resprings.” According to Aaron, after of which, the Messages app won’t load any messages along with will continue to crash.
He tested chaiOS on an iPhone X along with iPhone 5S, along with said the bug affects iOS versions 10.0 through 11.2.5 beta 5. He has not tested the vulnerability on the latest beta, iOS 11.2.5 beta 6, which was released of which morning. The bug can also affect Mac computers, according to Masri.
of which’s not the first iMessage bug of its kind. In 2015, a short string of Unicode characters crashed devices, along with in 2016, a bad link caused Safari to crash.
When someone texts you a link to a website through Messages in iOS, the app generates a preview of the link. Apple’s software guidelines allow developers to insert a few characters into their website’s HTML to customize the image along with title of of which link preview in Messages.
Instead of a few characters, Masri inputted hundreds of thousands of characters into his webpage’s metadata, much more than the iOS operating system expected, which is actually why, Masri suspects, the Messages app crashes. He then hosted the bug’s code on GitHub, which made of which available for some other people to use.
Apple did not immediately respond to requests for comment.
The chaiOS GitHub page has been taken down along with Masri’s account was suspended. although of which doesn’t mean iOS users are safe.
“My GitHub is actually publicly accessible, so anyone can copy [the code]. I’m pretty sure someone else has posted of which, although I’m not going to rehost of which,” Masri said. Github initially suspended Masri’s account, then restored of which a few hours later. The chaiOS repository appeared to have been removed coming from Masri’s account page.
The malicious code has likely been reuploaded elsewhere, along with there may be some other bad links exploiting the chaiOS vulnerability circulating around. Masri said he published the bug to alert Apple: “My intention is actually not to do bad things. My main purpose was to reach out to Apple along with say, ‘Hey, you’ve been ignoring my bug reports.’ I always report the bug before releasing something.”
Masri said after he reported the bug on January 15, he received two automated emails coming from Apple, although of which he didn’t get a response indicating of which the company considered of which an issue or planned to work on a fix. Masri says chaiOS is actually not the first bug he’s alerted Apple about: “One time, I reported a bug of which disables your phone’s display — being able to disable a phone’s display should not be possible. of which works on the latest type of iOS, along with after I sent of which to Apple, they said they don’t consider of which an issue.”
Apple did not immediately respond to a request for comment about whether of which had received Masri’s bug reports.
In some cases, if you try to open the Messages app, of which will continue to crash before you’re able to delete the thread. If Messages is actually in a recurring crash loop, you can try to restore your iOS device to factory settings, although of which will erase all of the photos, saved data, along with settings on your device.
Masri advises always keeping your iPhone or iPad updated to the latest type of iOS, which includes security patches for bugs like of which one.
Some folks suggested blocking GitHub’s domain in Safari settings (Settings app > General > Restrictions > Enable Restrictions > Websites > Limit Adult Content > Never Allow > GitHub.io). of which will protect you if (along with only if!) the bug has been reposted on GitHub, although of which will not be effective if someone posts the code on their own server.
We’ll update of which post if along with when Apple releases a security patch.