Single Text Character Can Crash iOS and macOS Devices

In January 2018, researcher Abraham Masri reported the discovery of a bug called chaiOS. This issue was similar to the older Effective Power bug found back in 2015. The chaiOS attack allowed someone to send a “text bomb” to the iMessage app, causing it to freeze or even crash the device, making it difficult to recover.

Now, a similar vulnerability has been found in iOS and macOS, and there is currently no patch available. The new issue was first noticed and described by the Italian blog Mobile World.

Which Devices Are Affected?

This new problem affects not only iPhones, but also other Apple devices, including iPads, Macs, and even devices running Watch OS. The vulnerability can be exploited by simply sending a message in almost any app, including Messages, Safari, Slack, WhatsApp, Facebook Messenger, Outlook for iOS, Gmail, and Twitter. According to user reports, Telegram and Skype are not affected by this attack.

How Does the Attack Work?

The attack is triggered by a single text character: జ్ఞ‌ా. This character is from the Telugu language, which is widely used in the Indian states of Andhra Pradesh and Telangana, where it is an official language.

If an iOS or macOS user receives this character in a message (for example, via WhatsApp) or types it themselves, the app will crash and enter an endless loop until the victim receives a new, different message. At that point, the user can access notifications and delete the problematic conversation. Alternatively, the victim can manually delete the message, for example, through the web version of the messenger if available.

Apple’s Response

Apple engineers are already aware of the problem and have promised to release a patch for iOS as soon as possible, before the release of iOS 11.3, which is scheduled for spring 2018. The publicly available beta version of iOS 11.3 is not affected by this bug.

Below, you can see a real-life demonstration of the issue. The video was created by the authors of Mobile World.