According to an article by Nicole Nguyen at Buzzfeed, yesterday afternoon software developer Abraham Masri publicly posted the bug — a security vulnerability called "chaiOS" that he found while attempting to break the operating system via "fuzzing" — to Github. Fuzzing is essentially a way of testing for vulnerabilities that involves putting way too much data into a system in order to crash it.
Here's how the bug works according to Buzzfeed's piece:
When someone texts you a link to a website through Messages in iOS, the app generates a preview of the link. Apple's software guidelines allow developers to insert a small amount of characters into their website's HTML to customize the image and title of that link preview. Instead of a small amount of characters, Masri inputted hundreds of thousands of characters into a webpage's metadata, much more than the operating system expects, which Masri suspects is why Messages crashes. He then hosted the bug's code on Github, which made it available for other people to use.
What really, really sucks? Once someone sends you the link to the page with tons of extra characters in its metadata through Messages, it will crash your phone, even if you don't click it or interact with it in any way. This basically means that all someone needs to freeze up your device for a few minutes (if not break it completely) is your phone number. Masri says the bug can also affect Macs.
Twitter user @aaronp613, one of the testers of the bug, spoke with Buzzfeed about what happens after the link is sent:
The device will freeze for a few minutes. Then, most of the time, it resprings.
Aaron then told Buzzfeed that once your phone reboots, the Messages app still won't load and will continue to crash. He also reported that the bug affects iOS versions 10.0 through 11.2.5 beta 5, though he has yet to tested it on iOS 11.2.5 beta 6 — the latest beta — which was released this earlier today.
The Github page hosting the code for the chaiOS vulnerability has been taken down and Masri's account has been suspended since he posted the link on Twitter. However, that doesn't mean that it's gone for good — because Masri's Github was open to the public, it's likely that someone else has already re-copied it and posted it elsewhere.
Masri stated in his chat with Buzzfeed that he has reported the bug to Apple, and that releasing it was to get Apple's attention as the company reportedly routinely ignores his reports:
My intention is not to do bad things. My main purpose was to reach out to Apple and say, 'Hey you've been ignoring my bug reports.' I always report the bug before releasing something.
And it seems it worked — Apple confirmed to Buzzfeed that a fix for the bug is currently in the works, and will be released in an update next week. There is no word about whether or not Apple has responded to Masri directly, however.
So what can I do?
Basically, be vigilant. If you see that you've received a link you don't recognize that you think may be running the chaiOS bug, delete it immediately (if you're able). However, that may not be possible, because in some cases Messages will crash before you're even able to open it. If you're not able to open the messages app whatsoever due to the bug, you may consider resetting your phone to its factory settings by doing a full restore. However this will delete your photos and anything else saved to your device.
Outside of that, it's always a good idea to make sure your phone is running the latest version of iOS — Apple routinely fixes vulnerabilities in updates, and this is no different. Definitely update to the newest iOS as soon as you're able.
For more information regarding the chaiOS bug, you can check out Buzzfeed's article.
Have a question? Sound off in the comments.