Fixed iMessage bug bricked iPhones using malformed message
Details of a now-patched bug in iMessage have been revealed by a Google Project Zero researcher, a problem that could have forced users to wipe and restore their iPhones to get them working again, if they received a malformed message.
Released by Google Project Zero, the search company's bug and vulnerability-discovery team, the issue relates to a specific type of malformed message that is sent out to a victim device. As per usual disclosure rules, the bug was held from public view until either 90 days had elapsed or a patch had been made broadly available to the public, with Apple's release in an iOS 12.3 update fixing the bug and allowing for it to be revealed.
Specifically, the message contains a property with a key value that is not a string, despite one being expected. Calling a method titled IMBalloonPluginDataSource _summaryText, the method assumes the key in question is a string, but does not verify it is the case.
The subsequent call for IMBalloonPluginDataSource replaceHandlewithContactNameInString calls for im_handleIdentifiers for the supposed string, which in turn results in a thrown exception.
While the message can affect both Mac and iPhone, they do so in different ways. For macOS, the error causes "soagent" to crash and respawn, making it a relatively brief issue where, at worst, the Messages app stops working.
On iPhone, the code is in Springboard, and will repeatedly load, crash, and reload itself to a point that the UI cannot be displayed and the iPhone ceases to respond to input by the user. As the problem survives a hard reset, and starts occurring again after unlocking the iPhone, the only known solution is to reboot into recovery mode and restore the device.
As part of the disclosure, Google Project Zero has also released instructions to reproduce the issue.
AppleInsider recommends users keep their iPhones up to date where possible, and to retain backups of their devices and stored data.
Malformed messages have been the source of some issues for iMessage users in the past. One major example is the "Black Dot" Unicode bug from 2018 that abused invisible characters to crash the app on iPhones and iPads running iOS 11.3.
Another 2018 "text bomb" exploited unoptimized rendering processes for OpenGraph page titles to create excessively long tags, again causing crashes. Another from 2015 used a single line of Arabic script to consume iOS resources when rendering, but only when it appeared as a notification.
Released by Google Project Zero, the search company's bug and vulnerability-discovery team, the issue relates to a specific type of malformed message that is sent out to a victim device. As per usual disclosure rules, the bug was held from public view until either 90 days had elapsed or a patch had been made broadly available to the public, with Apple's release in an iOS 12.3 update fixing the bug and allowing for it to be revealed.
Specifically, the message contains a property with a key value that is not a string, despite one being expected. Calling a method titled IMBalloonPluginDataSource _summaryText, the method assumes the key in question is a string, but does not verify it is the case.
The subsequent call for IMBalloonPluginDataSource replaceHandlewithContactNameInString calls for im_handleIdentifiers for the supposed string, which in turn results in a thrown exception.
While the message can affect both Mac and iPhone, they do so in different ways. For macOS, the error causes "soagent" to crash and respawn, making it a relatively brief issue where, at worst, the Messages app stops working.
On iPhone, the code is in Springboard, and will repeatedly load, crash, and reload itself to a point that the UI cannot be displayed and the iPhone ceases to respond to input by the user. As the problem survives a hard reset, and starts occurring again after unlocking the iPhone, the only known solution is to reboot into recovery mode and restore the device.
As part of the disclosure, Google Project Zero has also released instructions to reproduce the issue.
AppleInsider recommends users keep their iPhones up to date where possible, and to retain backups of their devices and stored data.
Malformed messages have been the source of some issues for iMessage users in the past. One major example is the "Black Dot" Unicode bug from 2018 that abused invisible characters to crash the app on iPhones and iPads running iOS 11.3.
Another 2018 "text bomb" exploited unoptimized rendering processes for OpenGraph page titles to create excessively long tags, again causing crashes. Another from 2015 used a single line of Arabic script to consume iOS resources when rendering, but only when it appeared as a notification.
Comments
Still waiting on Apple to allow updates through LTE rather than WiFi only. (Usually just 200-300MB)
Yep, I’m a broken record... Call me crazy but I think security updates are important.
Then thanks for posting.
When the headline said “bricked” I thought that meant the phones were being returned to Apple for replacement.
Because that’s what you do when your device is “bricked”: you get it replaced.
It references a plugin. Is that the notification system in springboard?
But from the article, it's not the messages app that's causing the problem to be so severe. Yes, the app has a poorly-written method that doesn't type-check the data it's receiving, and that causes a crash. The bigger problem is that somehow Springboard doesn't detect the crash and simply keeps trying to reload the app, EVEN AFTER A DEVICE RESTART. If I were at Apple, that second issue is the one I'd be investigating and correcting ASAP.
(edited to correct spacing issue)