If This Link Is Texted To You Over iMessage, It'll Freeze Your iPhone
You don't even need to click the malicious link.
Apple confirmed a fix is coming in a software update next week.
A newly discovered security vulnerability can freeze your iPhone, and, in some cases, crash it, if someone sends you a link containing malicious code on iMessage.
Software developer Abraham Masri found the bug, called “chaiOS,” and posted it on GitHub Tuesday afternoon. Masri told BuzzFeed News that he found the vulnerability while “fuzzing with the operating system.” In other words, he was trying to break the operating system by inputting random characters into its internal code.
The link to that GitHub page — even if you don’t click it — will crash the phone.
Someone who wants to troll you just needs your phone number to do so. The bug requires no action from you to do damage.
Twitter user @aaronp613, who tested the bug, told BuzzFeed News that after the link is sent, “The device will freeze for a few minutes. Then, most of the time, it resprings.” According to Aaron, after that, the Messages app won’t load any messages and will continue to crash.
He tested chaiOS on an iPhone X and iPhone 5S, and said the bug affects iOS versions 10.0 through 11.2.5 beta 5. He has not tested the vulnerability on the latest beta, iOS 11.2.5 beta 6, which was released this morning. The bug can also affect Mac computers, according to Masri.
When someone texts you a link to a website through Messages in iOS, the app generates a preview of the link. Apple’s software guidelines allow developers to insert a few characters into their website’s HTML to customize the image and title of that link preview in Messages.
Here’s what a Facebook link preview looks like in Messages:
Instead of a few characters, Masri inputted hundreds of thousands of characters into his webpage’s metadata, much more than the iOS operating system expected, which is why, Masri suspects, the Messages app crashes. He then hosted the bug’s code on GitHub, which made it available for other people to use.
Apple did not immediately respond to requests for comment.
The chaiOS GitHub page has been taken down and Masri’s account was suspended. But that doesn’t mean iOS users are safe.
“My GitHub is publicly accessible, so anyone can copy [the code]. I’m pretty sure someone else has posted it, but I’m not going to rehost it,” Masri said. Github initially suspended Masri's account, then restored it a few hours later. The chaiOS repository appeared to have been removed from Masri's account page.
The malicious code has likely been reuploaded elsewhere, and there may be other bad links exploiting the chaiOS vulnerability circulating around. Masri said he published the bug to alert Apple: “My intention is not to do bad things. My main purpose was to reach out to Apple and say, ‘Hey, you’ve been ignoring my bug reports.’ I always report the bug before releasing something.”
Masri said after he reported the bug on January 15, he received two automated emails from Apple, but that he didn’t get a response indicating that the company considered it an issue or planned to work on a fix. Masri says chaiOS is not the first bug he’s alerted Apple about: “One time, I reported a bug that disables your phone’s display — being able to disable a phone’s display should not be possible. It works on the latest version of iOS, and after I sent it to Apple, they said they don’t consider it an issue.”
Apple did not immediately respond to a request for comment about whether it had received Masri’s bug reports.
So what can you do? For now, if you do receive a bad link running the chaiOS bug, delete the message thread if you can, Masri said.
In some cases, if you try to open the Messages app, it will continue to crash before you’re able to delete the thread. If Messages is in a recurring crash loop, you can try to restore your iOS device to factory settings, but this will erase all of the photos, saved data, and settings on your device.
Masri advises always keeping your iPhone or iPad updated to the latest version of iOS, which includes security patches for bugs like this one.
Some folks suggested blocking GitHub’s domain in Safari settings (Settings app > General > Restrictions > Enable Restrictions > Websites > Limit Adult Content > Never Allow > GitHub.io). This will protect you if (and only if!) the bug has been reposted on GitHub, but it will not be effective if someone posts the code on their own server.
We’ll update this post if and when Apple releases a security patch.
Text updated to reflect Github's restoration of Masri's account and date Masri reported chaiOS bug to Apple.