There’s a security bug in Apple devices that allows people to freeze or crash a phone via text message. Someone can use the “text bomb” to freeze your iPhone by texting you a link with the malicious code. Even if you don’t click on the link, the bug can affect your phone, causing iMessage to crash repeatedly, slowing down Safari, and draining your battery. An Apple spokesperson told Bustle, "Apple confirmed a fix is coming in a software update next week.”
Software developer and researcher Abraham Masri found the bug, dubbed chaiOS. Masri posted the bug on GitHub and shared a link to that GitHub page on Twitter. “Text the link below, it will freeze the recipient's device, and possibly restart it,” Masri tweeted, adding, “Do not use it for bad stuff.”
According to an interview with BuzzFeed News, Masri discovered the bug while “fuzzing with the operating system.” Meaning, he was attempting to break the operating system by putting random characters into the internal code. Masri said he reported the bug on January 15 but didn’t receive a response indicating Apple’s intentions to fix the problem. He then published the bug in order to get Apple’s attention, per he stated in a tweet. “My intention is not to do bad things,” Masri told BuzzFeed News. “I always report the bug before releasing something.”
While its effects are irritating if used maliciously (crashing iMessage and Safari, restarting your device), chaiOS doesn’t appear to pose a security risk to infected devices.
How Does It Work?
chaiOS works by messing with the link preview feature in Messages, as reported by BuzzFeed. When someone texts you a link, it typically shows in your messages up with an image preview and a couple lines of text, usually the url and a brief title of the link. That preview is generated by customized code, a few characters long, which a developer puts into their website’s HTML. Rather than just a few characters, Masri’s link used hundreds of thousands of characters, which is what he suspects caused the Messages app to crash.
Masri took the GitHub page down after his account was suspended (GitHub has since reinstated his account) and his tweet sharing the code started to go viral. While the original page is gone, Masri said someone else could have copied the code and hosted it on another site. Masri tweeted that he has no intention of rehosting it. “I made my point,” he wrote, “Apple needs to take such bugs more seriously.”
What Can You Do If You Get Sent The Link?
Start by trying to delete the message thread. If you’re unable to open the Messages app (the bug may cause it to crash repeatedly), try restoring your device to its factory settings. But heads up: that will delete any photos and saved data on your phone.
If the bug has been reposted on GitHub, some Twitter users suggested blocking the domain on your phone. You can do that by following this pathway: Settings app > General > Restrictions > Enable Restrictions > Websites > Limit Adult Content > Never Allow > GitHub.io
However, that will only work if the bug is being hosted on GitHub. It will not block the bug if it’s being hosted on another site.
The best way to prevent your phone from being vulnerable to these kinds of bugs? Keep your device updated to the latest version of iOS. Typically, Apple will release updated operating systems which include patches for these newly discovered bugs.
Again, chaiOS doesn’t appear to pose any sort of security risk to your phone. While this bug seems particularly scary, given its ability to be effective even if you don’t open the link, its effects seem to be more frustrating than anything.