According to an article by Nicole Nguyen at Buzzfeed, yesterday afternoon software developer Abraham Masri publicly posted the bug — a security vulnerability called "chaiOS" that he found while attempting to break the operating system via "fuzzing" — to Github. Fuzzing is essentially a way of testing for vulnerabilities that involves putting way too much data into a system in order to crash it.
Here's how the bug works according to Buzzfeed's piece:
What really, really sucks? Once someone sends you the link to the page with tons of extra characters in its metadata through Messages, it will crash your phone, even if you don't click it or interact with it in any way. This basically means that all someone needs to freeze up your device for a few minutes (if not break it completely) is your phone number. Masri says the bug can also affect Macs.
Twitter user @aaronp613, one of the testers of the bug, spoke with Buzzfeed about what happens after the link is sent:
Aaron then told Buzzfeed that once your phone reboots, the Messages app still won't load and will continue to crash. He also reported that the bug affects iOS versions 10.0 through 11.2.5 beta 5, though he has yet to tested it on iOS 11.2.5 beta 6 — the latest beta — which was released this earlier today.
The Github page hosting the code for the chaiOS vulnerability has been taken down and Masri's account has been suspended since he posted the link on Twitter. However, that doesn't mean that it's gone for good — because Masri's Github was open to the public, it's likely that someone else has already re-copied it and posted it elsewhere.
Masri stated in his chat with Buzzfeed that he has reported the bug to Apple, and that releasing it was to get Apple's attention as the company reportedly routinely ignores his reports:
And it seems it worked — Apple confirmed to Buzzfeed that a fix for the bug is currently in the works, and will be released in an update next week. There is no word about whether or not Apple has responded to Masri directly, however.
So what can I do?
Basically, be vigilant. If you see that you've received a link you don't recognize that you think may be running the chaiOS bug, delete it immediately (if you're able). However, that may not be possible, because in some cases Messages will crash before you're even able to open it. If you're not able to open the messages app whatsoever due to the bug, you may consider resetting your phone to its factory settings by doing a full restore. However this will delete your photos and anything else saved to your device.
Outside of that, it's always a good idea to make sure your phone is running the latest version of iOS — Apple routinely fixes vulnerabilities in updates, and this is no different. Definitely update to the newest iOS as soon as you're able.
For more information regarding the chaiOS bug, you can check out Buzzfeed's article.
Have a question? Sound off in the comments.
Get the best of iMore in in your inbox, every day!
Tory Foulk is a writer at Mobile Nations. She lives at the intersection of technology and sorcery and enjoys radio, bees, and houses in small towns. When she isn't working on articles, you'll likely find her listening to her favorite podcasts in a carefully curated blanket nest. You can follow her on Twitter at @tsfoulk.
I suppose this is what you get when you ignore bug reports, Apple.... Actually, scratch that. This is what WE, the users, get when you ignore bug reports, Apple!
Still has far less bugs than Android, and that's referring to the latest version of Android, which isn't available for most phones
This could lead to a good jailbreak though.
Every ☁️, as they say :)
“Do not use it for bad stuff”, Masri said. Really what good does he think can come from someone sending the link [that freezes or restart the phone) to someone? Stupid statement.
I don’t use iMessage, so no problem.
So you've disabled iMessage completely on your phone? Many people consider iMessage as one of the biggest reasons for having an iPhone, it would be odd to disable it
Thank you for signing up to iMore. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.