A newly discovered security vulnerability can freeze your iPhone, and, in some cases, crash it, if someone sends you a link containing malicious code on iMessage.
Robert Alexander / Getty Images
Software developer Abraham Masri found the bug, called “chaiOS,” and posted it on Github Tuesday afternoon. Masri told BuzzFeed News that he found the vulnerability while “fuzzing with the operating system.” In other words, he was trying to break the operating system by inputting random characters into its internal code.
The link to that Github page — even if you don’t click it — will crash the phone.
Someone who wants to troll you just needs your phone number to do so. The bug requires no action from you to do some damage.
Twitter user @aaronp613, who tested the bug, told BuzzFeed News that after the link is sent, “The device will freeze for a few minutes. Then, most of the time, it resprings.” According to Aaron, after that, the Messages app won’t load any messages and will continue to crash. He tested chaiOS on an iPhone X and iPhone 5S, and said the bug affects iOS versions 10.0 through 11.2.5 beta 5. He has not tested the vulnerability on the latest beta, iOS 11.2.5 beta 6, which was released this morning.
The bug can also affect Mac computers, according to Masri. It’s not the first iMessage bug of its kind. In 2015, a short string of Unicode characters crashed devices, and in 2016, a bad link caused Safari to crash.
When someone texts you a link to a website through Messages in iOS, the app generates a preview of the link. Apple’s software guidelines allow developers to insert a small amount of characters into their website’s HTML to customize the image and title of that link preview.
Here’s what a Facebook link preview looks like in Messages:
Nicole Nguyen / BuzzFeed News
Instead of a small amount of characters, Masri inputted hundreds of thousands of characters into a webpage’s metadata, much more than the operating system expects, which Masri suspects is why Messages crashes. He then hosted the bug’s code on Github, which made it available for other people to use.
Apple did not immediately respond to requests for comment.
The chaiOS Github page has been taken down and Masri’s account has been suspended. But that doesn’t mean you’re safe.
“My Github is publicly accessible, so anyone can copy [the code]. I’m pretty sure someone else has posted it, but I’m not going to re-host it,” Masri said.
The malicious code has likely been re-uploaded elsewhere, and there may be other bad links exploiting the vulnerability circulating around. Masri said he posted the bug to alert Apple: “My intention is not to do bad things. My main purpose was to reach out to Apple and say, ‘Hey you’ve been ignoring my bug reports.’ I always report the bug before releasing something.”
Masri said after he reported the bug (“yesterday or the day before,” he said), he received two automated emails from Apple, but that he didn’t get a response indicating that the company considered it an issue or planned to work on a fix. Masri says chaiOS is not the first bug he’s alerted Apple about: “One time, I reported a bug that disables your phone’s display — being able to disable a phone’s display should not be possible. It works on the latest version of iOS, and after I sent it to Apple, they said they don’t consider it an issue.”
Apple did not immediately respond to a request for comment about whether it had received Masri’s bug reports.
So what can you do? For now, if you do receive a bad link running the chaiOS bug, delete the message thread if you can, Masri said.
In some cases, if you try to open the Messages app, it will continue to crash before you’re able to delete the thread. If Messages is in a recurring crash loop, you can try to restore your iOS device to factory settings, but this will erase all of the photos, saved data, and settings on your device.
Masri advises always keeping your iPhone or iPad on the latest version of iOS, which include security patches for bugs like this one.
Some folks suggested blocking Github’s domain in Safari settings (Settings app > General > Restrictions > Enable Restrictions > Websites > Limit Adult Content > Never Allow > Github.io). This will protect you if (and only if!) the bug has been re-posted on Github, but it will not be effective if someone posts the code on their own server.
We’ll update the post if and when Apple releases a security patch.