Software developer Abraham Masri claims to have found a bug that crashes Apple devices and deletes messages.
The bug, which he named “chaiOS," is a "text bomb" that typically causes iPhones, iPads, or Macs to seize up after a user receives a specially engineered web address through an iMessage in the Messages app. The flaw can also delete a user’s messages on devices running iOS and Mac OS.
Masri says the bug, which he posted on programming site GitHub on Tuesday, exploits the fact that Messages preloads any links to websites so it can show users a preview of the page.
Masri told Buzzfeed News he found the vulnerability while “fuzzing with the operating system” by inputting random characters into its internal code. He created a webpage hosted on GitHub and loaded its metadata with thousands of unnecessary characters.
The bug suggests that Messages crashes when trying to load all of this unexpected information.
DOS attack
For the bug to be activated, all that’s required is for a phone to be sent a text message that contains a link to the bug's code. Your phone may crash or restart even if you don’t open the link.
"The 'chaiOS' bug appears to lock up your iphone to keep you from using it as a phone or run your iPhone apps. It's what we call a 'denial-of-service' or DOS attack," Randy Marchany, university information technology security officer at Virginia Tech, told ConsumerAffairs.
"While a DOS attack is a nuisance and might not appear to be dangerous at first sight, the fact that you can't use the phone for making a call could be dangerous if you need to make an emergency (911) call," he said.
More of a nuisance
Despite that implication, the glitch is being regarded by security experts as a more of a "nuisance" rather than dangerous.
"Something about the so-called ChaiOS bug's code gives your Apple device a brainstorm. Ashamed about the mess it gets itself in, Messages decides the least embarrassing thing to do is to crash,” industry expert Graham Cluley said.
"Nasty. But, thankfully, more of a nuisance than something that will lead to data being stolen from your computer or a malicious hacker being able to access your files.”
While a fix for the bug has not yet been created, Cluley says he wouldn’t be surprised if Apple rolls out a security update in the near future to “fix this latest example of a text bomb."
What to do
Consumers that are sent a copy of the bug and subsequently prevented from using Messages on their iPhone can try several fixes, according to the Verge:
Block the domain of where the link is coming from. Go to your Safari settings, then General > Restrictions > Enable Restrictions > Websites > Limit Adult Content > Never Allow > and then input the domain name.
Delete the thread the link was sent in.
Restore your iPhone to its factory settings. Since this will delete all of your content, don’t try this unless you’ve backed up your phone.
Wait for a patch. Although Apple hasn’t yet commented on the issue or devised a fix for the chaiOS, they may in the near future.