Missed Text Messages Crashing iPhones? You Don’t Even Have to Click on This One to Do the Damage

Jan 17, 2018

It’s been quite a few months since we last saw a “dangerous” string pushing iPhones to their sudden (temporary) deaths. In yet another case of random strings crashing iOS devices, we have a new culprit that manages to freeze iPhone. Detailed by software developer Abraham Masri, the bug has been named as chaiOS. The problem with this prank, however, is that you don’t even need to click on it for it to freeze your iPhone.

All that a hater needs to do is to have your phone number and send a link. The bug requires no action from your side. In a tweet, Masri wrote that if someone texts the malicious link http://iabem97.github.io/chaiOS, it will freeze the recipient’s device, and possibly restart it. [This link would no longer work as GitHub temporarily suspended Masri’s account and the chaiOS repository appears to have been removed]

? Effective Power is back, baby!

chaiOS bug:
Text the link below, it will freeze the recipient's device, and possibly restart it. https://t.co/Ln93XN51Kq

⚠️ Do not use it for bad stuff.
—-
thanks to @aaronp613 @garnerlogan65 @lepidusdev @brensalsa for testing!

— Abraham Masri (@cheesecakeufo) January 16, 2018

chaiOS works by inserting hundreds of thousands of characters into a web page’s metadata. Apple allows developers to customize the image and title of a link that is shared via Messages for a better preview. However, if someone injects an excruciatingly long string and then the Messages app has to show a preview of that link based on the metadata, it essentially crashes.

While GitHub has removed the repo from Masri’s account, it has been copied by others. “My GitHub is publicly accessible, so anyone can copy. I’m pretty sure someone else has posted it, but I’m not going to rehost it,” Masri said.

The bug I released was to get @Apple's attention. It's just an html file.@Github always hosted jailbreaks (even .ipa files) that might've included malware. I don't understand why you'd ban my account.
Btw, I always report bugs before releasing them.

— Abraham Masri (@cheesecakeufo) January 17, 2018

Talking to BuzzFeed, another security researcher who tested the bug confirmed that “the device will freeze for a few minutes. Then, most of the time, it resprings.” However, several people suggest that the Messages app continues to crash even after the phone comes back to life. The bug has been tested on iOS 10 through iOS 11.2.5 beta 5 and appears to affect all the iPhones. The issue might affect other iOS devices and Macs, as well.

Masri doesn’t want you to freeze iPhones with this link – it’s supposed to be just a warning to Apple

Masri said he posted this bug publicly because Apple never takes these issues seriously. This bug doesn’t just temporarily freeze the device, but continues to create issues for the user. Researchers have advised to delete the thread if you see such a link being sent. However, in some cases, Messages app starts to crash right when you open it making you unable to delete the troubling messages.

On the Twitter thread of Masri’s report, some have suggested to go for the Limit Adult Content option to block GitHub.

Head over to Settings > General
Tap on Restrictions > Enable Restrictions > Websites > Limit Adult Content > Never Allow > GitHub.io

The above, however, won’t protect you if the string has been hosted elsewhere. If Messages app continues to crash, you might have to restore your iOS device, which is a pain. Let’s hope Apple responds quickly to this issue with a software update.

While some are upset with Masri for publicly sharing the issue, he said that it was done to make a point; “Apple needs to take such bugs more seriously.”