A software developer Abraham Masri has managed to identify a new iMessage bug dubbed as chaiOS, which can infect Apple’s iPhone and Mac devices and crashes or freezes them. The developer posted about his findings on GitHub this Tuesday.
According to Masri, the vulnerability was identified when he was attempting to break the operating system through inserting random characters into its internal coding. If a message containing a link having the code identified by Masri on GitHub is sent to a device, and even the user doesn’t click on it, the bug will be activated.
The iMessage app generates a preview of this malicious link and since Apple allows developers to insert a few characters into the HTML of their website for customization of the title of that link preview in the app Masri was able to insert new characters. Masri actually inserted thousands of characters, which was much more than the iOS allowed. This is why the iMessage app got crashed. The code for this bug was later posted on GitHub by Masri due to which it became available to the public.
The bug was tested by a Twitter user @aaronp613 and reported that when the link was sent the device froze for a few minutes and then restarted. The device continually crashed and the user wasn’t able to load messages. Masri stated that the bug affected iOS versions 10.0 through 11.2 beta 5 while the flaw wasn’t tested on the recently released iOS 11.2.5 beta 6 and that he tested the bug on iPhone X and iPhone 5S. On Mac devices, the bug crashes the Safari browser and causes the system to slow down.
Apple is yet to respond to this issue however, Masri has deleted the chaiOS GitHub post from his profile while his own account was suspended for a few hours. This doesn’t make iOS users safe from getting their devices crashed as the code must have been loaded elsewhere and chaiOS vulnerability could be exploited sufficiently by threat actors. As Masri noted:
“My GitHub is publicly accessible, so anyone can copy . I’m pretty sure someone else has posted it, but I’m not going to rehost it. My intention is not to do bad things. My main purpose was to reach out to Apple and say, ‘Hey, you’ve been ignoring my bug reports.’ I always report the bug before releasing something.”
Masri notified Apple about the bug on January 15 in response to which he received two automated emails from the iPhone maker but no solid response indicating that the company was giving this issue its due consideration.
Watch chaiOS demonstration
The only option users can exercise is to restore the iOS device to factory settings but beware that this will delete all the data including settings and photos stored on your device. To prevent from being targeted, Masri suggests keeping iPhone and iPad updated with latest iOS version as it includes patches for such bugs. It is also possible to block GitHub domain by following this path Settings app > General > Restrictions > Enable Restrictions > Websites > Limit Adult Content > Never Allow > GitHub.io on Safari settings so that if the bug is reposted on GitHub you will stay protected.