'Black Dot' Unicode bug crashes iOS Messages with invisible characters

Posted:
in iOS edited May 2018
A malicious message dubbed the 'Black Dot' message has started doing the rounds on iOS following circulation on Android devices, one that takes advantage of a bug in Unicode to crash Apple's Messages app on iPhones and iPads running iOS 11.3 and the beta releases of iOS 11.4.

unicode black dot bug messages iOS


Revealed by EverythingApplePro on YouTube, the message consists of a black dot emoji and a hand pointing to it, sent through the Messages app to another user. The malicious message is capable of crashing Messages once opened, with the issue persisting even if the user forcibly closes the app and re-opens it.

The flaw is similar to another malicious message that recently affected Android users in WhatsApp. A specially-crafted message inviting people to tap on the black dot would crash WhatsApp, but crucially only causing the crash if the symbol is tapped, rather than immediately locking up Messages as found in the iOS version.

Both are seemingly based on the same Unicode text bug, involving a string of thousands of hidden characters, usually used for functions like telling the application if the following text reads from left-to-right or right-to-left, for example. Using thousands of these conflicting characters in succession tasks the processor and consumes vast amounts of memory in the process, in turn causing the crash.

While it is referred to as the "Black Dot" message, the bug actually has nothing to do with the emoji used in the message.





Current workarounds consist of navigating away from the screen displaying the message so it doesn't appear when the app launches. One technique for affected iPhones involves forcing the app to close then using 3D Touch to create a new message, while it is also possible to delete the message from another iOS device connected to the same iCloud account.

Apple has yet to issue a fix for this issue, but one is expected to arrive soon.

The latest bug is reminiscent of a 2015 flaw in Unicode that could cause an iPhone to crash upon receiving a specific message. A single line of Arabic script was found to consume resources when iOS tried to render it in a notification, but at the same time didn't cause issues when received as part of a normal Messages conversation, indicating it to be an issue with the iOS notifications system itself.

Earlier this year, another "text bomb" was found to exploit an unoptimized rendering process for OpenGraph page titles to create an excessively long tag, causing Messages and other apps to crash in both iOS and macOS, and sometimes the operating system itself.
Alex1N

Comments

  • Reply 1 of 5
    elijahgelijahg Posts: 2,814member
    Here we go again... Whoever's the architect of Core Text needs moving on. The Unicode consortium doesn't help matters though, continually adding unnecessary extra emojis and variations thereof makes testing exponentially more difficult.
    netmagejbdragondysamoriatallest skilbaconstangAlex1N
  • Reply 2 of 5
    elijahg said:
    Here we go again... Whoever's the architect of Core Text needs moving on. The Unicode consortium doesn't help matters though, continually adding unnecessary extra emojis and variations thereof makes testing exponentially more difficult.
    Nah. This actually has nothing to do with emojis. It's a Unicode processing bug where a specially-crafted string of thousands of invisible characters causes a DOS attack by overwhelming the text processing engine. There is no indication of actual incompetence on the part of Apple's developers. It's an edge case at best, and affect other platforms with different codebases.
    Alex1N
  • Reply 3 of 5
    baconstangbaconstang Posts: 1,140member
    Yet another reason for me to stay on iOS10.
    edited May 2018
  • Reply 4 of 5
    tallest skiltallest skil Posts: 43,388member
    Yet another reason to stay on iOS10.
    Yeah, that version didn’t have Unicode support.
    JollyRogercornchipAlex1N
  • Reply 5 of 5
    elijahg said:
    Here we go again... Whoever's the architect of Core Text needs moving on. The Unicode consortium doesn't help matters though, continually adding unnecessary extra emojis and variations thereof makes testing exponentially more difficult.
    Nah. This actually has nothing to do with emojis. It's a Unicode processing bug where a specially-crafted string of thousands of invisible characters causes a DOS attack by overwhelming the text processing engine. There is no indication of actual incompetence on the part of Apple's developers. It's an edge case at best, and affect other platforms with different codebases.
    There's no valid reason for such a bug, just sad excuses: that another platform suffers problems in a similar/same manner is irrelevant.

    If there's an upper limit to the number of characters or their composition, people will find it, intentionally or otherwise, and this really isn't hard to guard against.
Sign In or Register to comment.