According to an article by Nicole Nguyen at Buzzfeed, yesterday afternoon software developer Abraham Masri publicly posted the bug — a security vulnerability called "chaiOS" that he found while attempting to break the operating system via "fuzzing" — to Github. Fuzzing is essentially a way of testing for vulnerabilities that involves putting way too much data into a system in order to crash it.
Here's how the bug works according to Buzzfeed's piece:
What really, really sucks? Once someone sends you the link to the page with tons of extra characters in its metadata through Messages, it will crash your phone, even if you don't click it or interact with it in any way. This basically means that all someone needs to freeze up your device for a few minutes (if not break it completely) is your phone number. Masri says the bug can also affect Macs.
Twitter user @aaronp613, one of the testers of the bug, spoke with Buzzfeed about what happens after the link is sent:
Aaron then told Buzzfeed that once your phone reboots, the Messages app still won't load and will continue to crash. He also reported that the bug affects iOS versions 10.0 through 11.2.5 beta 5, though he has yet to tested it on iOS 11.2.5 beta 6 — the latest beta — which was released this earlier today.
The Github page hosting the code for the chaiOS vulnerability has been taken down and Masri's account has been suspended since he posted the link on Twitter. However, that doesn't mean that it's gone for good — because Masri's Github was open to the public, it's likely that someone else has already re-copied it and posted it elsewhere.
Masri stated in his chat with Buzzfeed that he has reported the bug to Apple, and that releasing it was to get Apple's attention as the company reportedly routinely ignores his reports:
And it seems it worked — Apple confirmed to Buzzfeed that a fix for the bug is currently in the works, and will be released in an update next week. There is no word about whether or not Apple has responded to Masri directly, however.
So what can I do?
Basically, be vigilant. If you see that you've received a link you don't recognize that you think may be running the chaiOS bug, delete it immediately (if you're able). However, that may not be possible, because in some cases Messages will crash before you're even able to open it. If you're not able to open the messages app whatsoever due to the bug, you may consider resetting your phone to its factory settings by doing a full restore. However this will delete your photos and anything else saved to your device.
Outside of that, it's always a good idea to make sure your phone is running the latest version of iOS — Apple routinely fixes vulnerabilities in updates, and this is no different. Definitely update to the newest iOS as soon as you're able.
For more information regarding the chaiOS bug, you can check out Buzzfeed's article.
Have a question? Sound off in the comments.
Master your iPhone in minutes
iMore offers spot-on advice and guidance from our team of experts, with decades of Apple device experience to lean on. Learn more with iMore!
Tory Foulk is a writer at Mobile Nations. She lives at the intersection of technology and sorcery and enjoys radio, bees, and houses in small towns. When she isn't working on articles, you'll likely find her listening to her favorite podcasts in a carefully curated blanket nest. You can follow her on Twitter at @tsfoulk.