Another day, another text message can make your iPhone freak out just by being opened. The bug, a “text bomb” being referred to as chaiOS, is no laughing matter; however, the good news is that learning how to protect yourself from the iPhone text bomb is actually pretty simple. It’s not fool proof, of course — but it might go a long towards easing your mind if you’re a little nervous about the whole thing. An Apple spokesperson told Bustle, "Apple confirmed a fix is coming in a software update next week.”
According to the Daily Dot, software developer Abraham Masri found the bug on Jan. 15. Masri discovered that, when exploited, chaiOS can cause the iPhone text message app, Messages, to crash. (iPads and Macs might also be vulnerable.) Masri reported it to Apple before posting the bug to GitHub for informational purposes on Jan. 16 — but although the original GitHub link has since been taken down, the bug is still out there and able to wreak havoc on your phone if you’re not careful.
The link exploits a bug in the way the Messages app handles link previews, reports BuzzFeed. Here’s how it works: Whenever you receive a link in an iMessage text through Messages, a preview of the link will be automatically generated; this preview is what displays in the iMessage box when you open the text. Developers can customize what the previews of specific links look like by inserting a couple of characters into the website’s HTML — but if you insert more than a couple of characters, your phone’s operating system can’t quite handle it.
That’s apparently what Masri did: He inputted thousands of characters into the website’s code, which, he found, will overload the system and cause the Messages app to crash. After discovering and reporting this bug to Apple, Masri then posted it to GitHub — which means that, although he did specifically tell people, “Do not use it for bad stuff”… well, anyone could have grabbed it and used it for whatever they want, including “bad stuff.”
(For what it’s worth, Masri did tell BuzzFeed, “My intention is not to do bad things. My main purpose was to reach out to Apple and say, ‘Hey, you’ve been ignoring my bug reports.’ I always report the bug before releasing something.” Personally, I would argue that once you release something like this into the wild knowing what it can do, you’re then responsible for it if anyone does use it for bad stuff…but that’s just me. The ethics of making bugs like this publicly available regardless of your own intentions is a whole ‘nother conversation.)
Happily, though, there are a few things you can do to protect yourself from the bug. First off, if you get a text with a link preview in it, don’t open the iMessage unless you know exactly what it is and who it’s from. Here’s what an iMessage with a preview in it looks like from the Messages menu (that is, what it looks like before you actually open the text):
See something like that? Don’t open the text if the preview domain is from GitHub, if you don’t recognize the domain at all, if you don’t know who it’s from, etc. And, if your phone does get bombed by this evil little text, you can always reset the whole thing to its factory settings; just know that if you do so, all of your photos, saved data, and settings will be erased, so make sure you’ve got a recent backup available you use to restore your phone to its former glory afterwards.
You can also set your phone to block the GitHub domain from Safari entirely, which some folks say is a decent solution to the problem, according to BuzzFeed. It does come with a caveat, though: Enacting this hack will only prevent the bad link from displaying on your phone if it’s specifically from GitHub. That means that if Masri’s link has been reposted to GitHub by anyone else, your phone should be protected from it — but, if anyone has posted the code anywhere else (to their own server, for example), your phone is still vulnerable to it. The only way to be fully protected is to identify all the possible domains on which the bug could be hosted and block them all — which, let’s face it, isn’t likely an achievable goal.
But, for the sake of argument, here’s how to block GitHub from your phone: