'ChaiOS' Bug Can Cause IMessage to Crash With a Text Message

posted by martyb on Friday January 19, @07:27AM
Security

Fnord666 writes:

There's a new bug floating around called "chaiOS" that appears to be a basic GitHub link. However, when you text it to a person via the iMessage app (whether on iOS or MacOS), it will crash the app and possibly cause the device to freeze and restart. In other words: Be aware that this exists, but don't send it to anyone.

It was Twitter user Abraham Masri who first uncovered the bug. The people over at 9to5Mac tested it out, and it certainly messed up their devices. They reported crashes and severe lags as a result of the bugs that persisted until the thread containing the link was deleted from the iMessage app. If you did send or receive it, and your device is a mess, there's also a fix in the replies to Masri's original tweet. We've reached out to Apple to confirm that their team is aware of the bug, and to see if there are any fixes in the works.

Source: EnGadget

Original Submission


'ChaiOS' Bug Can Cause IMessage to Crash With a Text Message
  • (Score: 0) by Anonymous Coward on Friday January 19, @07:58AM

    Be aware that this exists, but don't send it to anyone.

    C'mon, where's the fun in that? iOS or MacOS, right? They probably deserve it, espeically if they are people whose contact info I have! Ha ha ha ha ha! Eat freeze, Apple fools!

  • (Score: 0) by Anonymous Coward on Friday January 19, @08:08AM (3 children)

    Why would certain words crash the app?

    • (Score: 2) by maxwell demon on Friday January 19, @08:15AM (1 child)

      by maxwell demon (1608) Subscriber Badge on Friday January 19, @08:15AM (#624615) Journal

      That "word" is a link. Special processing for links (e.g. to allow you to follow it by just clicking/tapping on it) is quite common. Although it certainly shouldn't crash you app or freeze your device.

    • (Score: 3, Insightful) by All Your Lawn Are Belong To Us on Friday January 19, @03:11PM

      by All Your Lawn Are Belong To Us (6553) on Friday January 19, @03:11PM (#624704)

      maxwell demon answered the technical side, but the ecosystem answer is different:

      Because:

      A) Basic networking design still does not have security-by-design baked into it, and:
      B) People want things to happen like pre-fetch of content or extended information about things like weblinks, which is inherently INsecure.
      C) NB: One should never trust a connection where any actor can send you a message or content, but everyone wants convenience that requires trust to be randomly extended to all.

      Or in other words, it's an extension of people not applying basic critical thinking to computers: The users, the designers, and most especially the people making money off of it.

  • (Score: 2) by WizardFusion on Friday January 19, @10:23AM (5 children)

    by WizardFusion (498) Subscriber Badge on Friday January 19, @10:23AM (#624638) Journal

    For the lazy, the link is

    https://t.co/Ln93XN51Kq [t.co]

    That's right, head over to https://t.co/Ln93XN51Kq/ [t.co] and check it out.

    Once more, it's https://t.co/Ln93XN51Kq/ [t.co]

    • (Score: 2) by coolgopher on Friday January 19, @11:54AM (3 children)

      by coolgopher (1157) Subscriber Badge on Friday January 19, @11:54AM (#624652)

      Are you sure? I only got a 404 page...

      • (Score: 2) by WizardFusion on Friday January 19, @12:41PM (2 children)

        by WizardFusion (498) Subscriber Badge on Friday January 19, @12:41PM (#624660) Journal

        It was, twitter have taken it down :(

        • (Score: 1, Informative) by Anonymous Coward on Friday January 19, @12:57PM (1 child)

          by Anonymous Coward on Friday January 19, @12:57PM (#624663)

          Fuck twatter. Fortunately we can recover the link https://web.archive.org/web/20180117063656/https://iabem97.github.io/chaiOS/ [archive.org]

          No guarantees but fingers crossed. Apparently the thing is meta property="og:title" content=some funny stuff which goes on for a bit.

          • (Score: 1) by mmh on Friday January 19, @05:51PM

            by mmh (721) Subscriber Badge on Friday January 19, @05:51PM (#624794)

            Interestingly, in Pale Moon 26.5 on Fedora, it causes the browser is use 100% CPU for very long periods of time. Grabbing it with curl, it's just a 12MB file.

            $ curl 'https://web.archive.org/web/20180117063656/https://iabem97.github.io/chaiOS/' | wc -c
              % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                             Dload  Upload   Total   Spent    Left  Speed
            100 11.6M  100 11.6M    0     0  2636k      0  0:00:04  0:00:04 --:--:-- 2969k

            12254781

    • (Score: 0) by Anonymous Coward on Friday January 19, @06:33PM

      by Anonymous Coward on Friday January 19, @06:33PM (#624818)

      This is a "working" link:
      https://web.archive.org/web/20180117063656/https://iabem97.github.io/chaiOS/ [archive.org]

      The document contains a meta property="og:title" content=$FOO
      with FOO a 4 MB string with a bunch of non-ASCII chars.
      Might be a buffer overflow.

