Text bomb, text bomb, you're my text bomb! Naughty HTML freezes Messages, Safari, etc
Apple font code on iOS, macOS knackered by texted link
A specially crafted webpage will knacker Apple's Messages and Safari software on iOS and macOS, allowing miscreants to spread merry mischief by texting fans a link to the dastardly HTML.
The page also causes other programs, such as TextEdit on Macs, to hang when opened. This is due to, from what we can tell, it being stuffed with characters that confuse the operating system's font-rendering code, resulting in applications hanging forever or being automatically killed.
The programming blunder in the iGiant's display code is triggered by, according to a note in the aforementioned webpage, overloading "the title property with massive characters containing heavy ligature." This, it seems, causes the rendering routines, or components related to them, to enter an infinite loop and thus become unresponsive. This leaves folks with non-working software.
Several copies and mirrors of the crafty HTML have been taken down from the web but at time of writing you can find a copy at
hxxxp://cydia.furcode.co/chaiOS2. Open entirely at your own risk.
Crucially, a victim may not have to explicitly click or tap on the link to activate the attack. For example, if you text the URL to pal and their Messages app fetches it automatically to display a preview, then it's game over. The HTML is rendered and the code is hijacked.
The naughty script was apparently the work of Abraham Masri, aka CheeseCakeUFO on Twitter, who shared it online as a proof-of-concept demo of the bug:
Bang ... Clicking on that link in Messages, Safari or similar will knackered the device
It's not thought the script is capable of performing more than a denial of service; it doesn't trigger the execution of arbitrary code, for example.
“[This is] more of a nuisance than something that will lead to data being stolen from your computer or a malicious hacker being able to access your files,” said infosec pundit and Mac fan Graham Cluley in a blog post this week.
Text bomb vulnerabilities that affect Apple's software are rare but far from unprecedented. For example, in 2015, it emerged a sequence of characters referred to as Effective Power would reboot iPhones. Similar stuff was seen in 2013.
We're told Apple is working on a patch to close down the prankster-friendly hole, and this is expected to be released next week. ®