“Text Bomb” - Freeze and Crash Your iPhone | Lucideus Research

A new bug has been identified in iMessage which dubbed as chaiOS, which can infect Apple’s iPhone and Mac devices and crashes or freezes them. According to vulnerability, a web page was created in which coder inserts thousands of random characters into its internal coding. When a link of the web page is sent to a device, and even the user doesn’t click on it tries to show preview in the message, the bug will be activated and the phone will get the freeze or get crashed.

In case of iMessage:
The iMessage app generates a preview of this malicious link and since Apple allows developers to insert a few characters into the HTML of their website for customization of the title of that link preview in the app.

Masri actually inserted thousands of characters, which was much more than the iOS allowed. This is why the iMessage app got crashed. The code for this bug was later posted on GitHub by Masri due to which it became available to the public.

The bug was tested in our Lucideus Labs, in which the link was sent to multiple devices which leads to froze phones for a few minutes and then restarted. The device continuously crashed and may the user wasn’t able to load messages. For POC you can see the video below. 

                                    Watch POC Here: https://youtu.be/3AP9xlSYuS4

This bug affected iOS versions from 10.0 to 11.2.2 and has been testing on iPhone5, iPhone6, iPhone7 and iPhone7 Plus. Even we have tested this on other Mac devices, the bug crashes the Safari browser and causes the system to slow down.

In case of Text Message:
The “Text Message” in iPhone will not show any preview so the phone will not get freeze and crash. But don’t click on such link, which again will let this link to get open in safari and results again crashing in iPhone.

Precautions:
1. Keeping iPhone and iPad updated with latest iOS version as it includes patches for such bugs.

2. It is also possible to block GitHub domain by following this path Settings app > General > Restrictions > Enable Restrictions > Websites > Limit Adult Content > Never Allow > GitHub.io on Safari settings, So that if the bug is reposted on GitHub you will stay protected.

3. Turn off Imessages for some time, until no security patch is there from Apple.

4. Don’t click on link coming from suspicious persons (via Text, Whatsapp etc)

No comments:

Powered by Blogger.