Apple Releases Updates to Fix Telugu Character Bug

Last week, Apple device users around the world became targets for pranksters and trolls of all kinds. Independent researcher Abraham Masri discovered a vulnerability affecting iOS, macOS, tvOS, and watchOS. This issue could be exploited in almost any app, including Messages, Safari, Chrome, Thunderbird, Slack, WhatsApp, Facebook Messenger, Outlook for iOS, Gmail, Twitter, and more. All of these applications would react to a single text character (జ్ఞ‌ా) as a classic “text bomb,” causing them to freeze or enter an endless crash loop.

For example, one Twitter user demonstrated how the Uber app on a driver’s device could be crashed simply by including the problematic character in the client’s name when ordering a ride.

This character is used in Telugu, an official language in the Indian states of Andhra Pradesh and Telangana. The exact reason why this character caused such a reaction in the apps is still unclear, and experts have proposed various theories. You can read more about these theories from a Mozilla engineer and a Unicode Consortium specialist.

Apple’s developers rushed to prepare patches as quickly as possible, understanding that users were being widely targeted by trolling and pranks. The bug was assigned the identifier CVE-2018-4124 and was fixed earlier this week in all of Apple’s operating systems: macOS High Sierra 10.13.3 Supplemental Update, iOS 11.2.6, watchOS 4.2.3, and tvOS 11.2.6.