A new bug has been discovered in Apple’s iOS software that crashes the Messages app and can freeze or restart a users device when sent a specific link.
Software developer Abraham Masri is the man who found the bug and he gave it a catchy name, “chaiOS.” This new bug exploits a vulnerability in Apple’s Messages app that preloads web links to show users a quick preview.
How Does chaiOS Work?
Masri gave some background on his experience with chaiOS. In an interview, Masri said he found the vulnerability while messing around with the operating system. He created a website hosted on GitHub, stuffed the site's metadata with tons of characters, and then sent the link through the Message app on iOS.
The response to sending a site like through the Message app causes it to crash because it is trying to load all the unexpected information. ChaiOS could also cause the smartphone to restart.
Effective Power is back, baby!
Text the link below, it will freeze the recipient's device, and possibly restart it. https://t.co/Ln93XN51Kq
— Abraham Masri (@cheesecakeufo) January 16, 2018
The Messages app doesn’t always crash and some reports have found that there could be freezing, lagging, or a restart.
Masri did some testing on different iPhone devices and found that the bug is affecting only later versions of Apple iOS. ChaiOS is actively crashing the Messages app on iOS devices running 10.0 to 11.2.5 beta 5. The bug also crashes Messages on macOS, but no word on messages on the iPad.
Fortunately, there are not many working links of chaiOS around. Masri’s link on GitHub has been taken down, along with other mirrored versions. He further went on to say that he’s not planning to re-upload the link and only wanted to get Apple’s attention on the issue.
No, I'm not going to re-upload it. I made my point. Apple needs to take such bugs more seriously. — Abraham Masri (@cheesecakeufo) January 17, 2018
What To Do If You Encounter ChaiOS
If users somehow get sent a link to the chaiOS bug, there are a few ways to fix your device.
First, users can simply delete the message thread the bug is sent in. It’s a simple way to avoid the link and the user that sent it.
Second, users can block the domain of the website hosting the bugged file. That can be done by going into Settings, General, Restrictions, Enable Restrictions, Websites, Limit Adult Content, Never Allow, and then add the name of the website.
If it becomes a larger issue we can expect Apple to release a patch in the near future, but until then just be careful opening links.