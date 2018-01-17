According to an article by Nicole Nguyen at Buzzfeed, yesterday afternoon software developer Abraham Masri publicly posted the bug — a security vulnerability called "chaiOS" that he found while attempting to break the operating system via "fuzzing" — to Github. Fuzzing is essentially a way of testing for vulnerabilities that involves putting way too much data into a system in order to crash it. 👋 Effective Power is back, baby!



chaiOS bug:

Text the link below, it will freeze the recipient's device, and possibly restart it. https://t.co/Ln93XN51Kq



⚠️ Do not use it for bad stuff.

----

thanks to @aaronp613 @garnerlogan65 @lepidusdev @brensalsa for testing! — Abraham Masri (@cheesecakeufo) January 16, 2018 Here's how the bug works according to Buzzfeed's piece:

When someone texts you a link to a website through Messages in iOS, the app generates a preview of the link. Apple's software guidelines allow developers to insert a small amount of characters into their website's HTML to customize the image and title of that link preview. nstead of a small amount of characters, Masri inputted hundreds of thousands of characters into a webpage's metadata, much more than the operating system expects, which Masri suspects is why Messages crashes. He then hosted the bug's code on Github, which made it available for other people to use.

What really, really sucks? Once someone sends you the link to the page with tons of extra characters in its metadata through Messages, it will crash your phone, even if you don't click it or interact with it in any way. This basically means that all someone needs to freeze up your device for a few minutes (if not break it completely) is your phone number. Masri says the bug can also affect Macs. Twitter user @aaronp613, one of the testers of the bug, spoke with Buzzfeed about what happens after the link is sent:

The device will freeze for a few minutes. Then, most of the time, it resprings.

Aaron then told Buzzfeed that once your phone reboots, the Messages app still won't load and will continue to crash. He also reported that the bug affects iOS versions 10.0 through 11.2.5 beta 5, though he has yet to tested it on iOS 11.2.5 beta 6 — the latest beta — which was released this earlier today. The Github page hosting the code for the chaiOS vulnerability has been taken down and Masri's account has been suspended since he posted the link on Twitter. However, that doesn't mean that it's gone for good — because Masri's Github was open to the public, it's likely that someone else has already re-copied it and posted it elsewhere. Masri stated in his chat with Buzzfeed that he has reported the bug to Apple, and that releasing it was to get Apple's attention as the company reportedly routinely ignores his reports:

My intention is not to do bad things. My main purpose was to reach out to Apple and say, 'Hey you've been ignoring my bug reports.' I always report the bug before releasing something.