Malicious Link Texted to Mac and iOS Devices Can Cause Freezes and Resprings [Updated]

[MacRumors]

A link that exploits a bug in iOS and Mac devices was shared on Twitter this afternoon, and if you receive this link through the Messages app, your iPhone or iPad can freeze up or respring, and the Messages app can become unusable.

The link, which goes to a Github page, breaks the Messages app and causes problems on both iOS devices and Macs. Simply receiving the link results in issues, likely due to the Messages feature that lets you preview web links. We tested the bad link and while we saw few resprings, it did reliably cause the Messages app to freeze entirely.

The only solution appears to be to quit out of the Messages app and then delete the entire offending conversation to restore full functionality.

These kinds of Message-based bugs have surfaced several times in the past, with text strings, videos, and more crashing the Messages app in the past. Such bugs are not serious, but they can be highly irritating when abused as a prank.

It's best not to send the link to friends, because it can cause the sending device to freeze up and crash as well. If your device is affected, quit the Messages app on Mac or iOS, open it back up, and immediately delete the entire message thread.

On Mac, you'll need to swipe right on the trackpad or right click on to the person's name to delete the conversation, while on iOS, you'll need to swipe to the right on a person's name to bring up the delete option.

Blocking the domain using Parental Restrictions may prevent the link from affecting your iOS devices. You can turn on Restrictions on iPhone or iPad by going to Settings --> General --> Restrictions --> Websites --> Limit Adult Content and adding "GitHub.io" to the "Never Allow" list.

Update: Apple appears to have addressed the bug in iOS 11.2.5 beta 6, and Github has removed the offending webpage.

Article Link: Malicious Link Texted to Mac and iOS Devices Can Cause Freezes and Resprings [Updated]

 

[Paradoxally]

Apple is lost. This is the effective power bug all over again.

 

[Princess Cake]

O̖̟̝̦h ̱l͉̰͓ooḳ,̩̗̱ ̩͓̘͔t͕͚h̬̰̗̘̣̙͔e̝̮̯̟͍ ̗̖͔̣k̗̩̩̳͓̜͔i͚d͎̯̭s̭̙̣ ̟̫̳a̞ṛ̩̮̪̣͚e͚̰̺͔̭ ̟̜̥̖͇͓̝u̱̠s̬̯̥̳̲̠in̪̲g̜̣̝̦ ͓t̬̞hḙ̳̣ ͇͙̗͈̺̮͓g̠̱̣̭̦͕͓ḽḭ̞̘t̩c̤͎h̺̬͕̜̘̲y̞͉̘ t͔̥̰e͙̭͇̼̱̹x̙̠t̜͇̝̹ͅͅ ͔̞̠̱ge͚n̗e͍̦̝̺r̦͓a͇̳̣t͖̦̱͔̤̙o͓̭̗̹̤̜̼r͔͙̗̬̞̼͚

 

[yeah]

Still better than most bugs in iOS 11!

/s

 

[TMRJIJ]

Sigh... (waits fifteen minutes for everyone in the CS Department to start sending this link to each other)

 

[Quu]

Another day another exploitable issue with iOS/macOS. Apple really needs to double down on platform security because this is getting ridiculous.

 

[Porco]

IMHO, Apple should offer an option to specifically turn off web link previews, regardless of this bug.

 

[newtestleper]

That’s Settings > GENERAL > Restrictions, if you don’t want to waste a few extra seconds of your life like I had to.

 

[rogerowankenobi]

No such option in Settings in iOS 11.2.2. Not even in Sttings>General>Restrictions>Websites. Try again, please. Far as I can see, excluding a single website is not supported–though that certainlly would be nice…

 

[newtestleper]

No such option in Settings in iOS 11.2.2. Not even in Sttings>General>Restrictions>Websites. Try again, please. Far as I can see, excluding a single website is not supported–though that certainlly would be nice…

Correct, even in the latest beta. It’s “all”, “limit adult websites” or “allow these select sites only” (paraphrasing).

 

[thadoggfather]

“But but... Apple has great quality control over their software”

 

[jclo]

Correct, even in the latest beta. It’s “all”, “limit adult websites” or “allow these select sites only” (paraphrasing).

Sorry, guys. Tap "limit adult content" and then you can add sites. I missed a step.

 

[Naraxus]

Does anyone remember when stuff like this happened to Microsoft and NOT Apple? My how times have changed.

 

[Princess Cake]

So how's Ubuntu these days?

 

[makingdots]

Another day another exploitable issue with iOS/macOS. Apple really needs to double down on platform security because this is getting ridiculous.

It's still the most advanced secure platform. FYI, Bugs usually got fixed when found out. While there are positions there at Apple just to find bugs, there's occasionally a bug like these...

 

[Princess Cake]

It's still the most advanced secure platform. Be grateful for that while you do some blue-collar job. FYI, Bugs usually got fixed when found out. While there are positions there at Apple just to find bugs, there's occasionally a bug like these...

To be fair theres positions at Apple to get high and naked while going off on a spirit journey to find the name of the next version of macOS.

 

[chucker23n1]

FYI, Bugs usually got fixed when found out.

I assure you macOS/iOS has bugs that are many years old. Finding a bug is not necessarily the hard part.

 

[M2M]

Stuff like this simply shouldn’t happen. Messages app shouldn’t crash if the safari thread crashes. That’s like windows 3.1 time.

 

[i.mac]

Does anyone remember when stuff like this happened to Microsoft and NOT Apple? My how times have changed.

M$ still sucks, and Apple is still better.

 

[Princess Cake]

M$ still sucks, and Apple is still better.

Remember what Steve said "We have to let go of this notion that for Apple to win Microsoft has to lose. In order for Apple to win Apple needs to do a really good job."

 

[Altis]

Still nothing compared with what iOS updates do to my devices!

 

[shamino]

So does anyone have a clue what this page is actually doing? I tried loading it in Firefox and the browser got really slow (displaying assorted cruft at the bottom of the browser window) until I closed the tab.

Update

After viewing the page's source code, it's just ugly nonsense exploiting a bug in the browser.

The page's header has a meta tag (og.title) where the content is several MB of text, consisting mostly of Unicode cascading accent marks. Following by a "mailto" URL containing similar junk. The content causes most software (capable of displaying Unicode, of course) to slow down a lot.

Pretty juvenile. But iOS's Mobile Safari and Messages shouldn't crash in the face of this. This may indicate a more serious bug somewhere in Apple's Unicode rendering engine.

IMO, although it probably violates the standard, I think software should put a limit on the number of cascading accents one may attach to a single character. If there were a limit of 100 (for example), it would probably never interfere with legitimate text and text designed to abuse the feature would simply fail to render. The only people offended would be those trying to write browser-crashing text and a few uber-pedantic Unicode geeks.

 

[5105973]

Still nothing compared with what iOS updates do to my devices!

Oh snap! Burnnnnnnnn.

But yeah, at least there’s a fast remedy for this. I waited months for iOS 11 to stop draining my battery fast on my 7 Plus, making it old before its time.

 

[Delgibbons]

A link that exploits a bug in iOS and Mac devices was shared on Twitter this afternoon, and if you receive this link through the Messages app, your iPhone or iPad can freeze up or respring, and the Messages app can become unusable.

The link, which goes to a Github page, breaks the Messages app and causes problems on both iOS devices and Macs. Simply receiving the link results in issues, likely due to the Messages feature that lets you preview web links. We tested the bad link and while we saw few resprings, it did reliably cause the Messages app to freeze entirely.

The only solution appears to be to quit out of the Messages app and then delete the entire offending conversation to restore full functionality.

These kinds of Message-based bugs have surfaced several times in the past, with text strings, videos, and more crashing the Messages app in the past. Such bugs are not serious, but they can be highly irritating when abused as a prank.

It's best not to send the link to friends, because it can cause the sending device to freeze up and crash as well. If your device is affected, quit the Messages app on Mac or iOS, open it back up, and immediately delete the entire message thread.

On Mac, you'll need to swipe right on the trackpad or right click on to the person's name to delete the conversation, while on iOS, you'll need to swipe to the right on a person's name to bring up the delete option.

Blocking the domain using Parental Restrictions may prevent the link from affecting your iOS devices. You can turn on Restrictions on iPhone or iPad by going to Settings --> General --> Restrictions --> Websites --> Limit Adult Content and adding "GitHub.io" to the "Never Allow" list.

Article Link: Malicious Link Texted to Mac and iOS Devices Can Cause Freezes and Resprings

I remember someone recently talking about Apple's class leading security? These stories seem to be appearing almost daily.

 

[pika2000]

The sad part is that iPhone 5/5c and older will forever susceptible to this bug.