The researcher and software developer Abraham Masri has discovered a new bug, dubbed ‘chaiOS Text Bomb’ that could be exploited to crash recipient’s iMessage application in a continuous loop.
? Effective Power is back, baby!
Text the link below, it will freeze the recipient's device, and possibly restart it. https://t.co/Ln93XN51Kq
— Abraham Masri (@cheesecakeufo) January 16, 2018
The flaw exploited by the ‘chaiOS Text Bomb’ affects both iOS and macOS, according to researchers at Yalu Jailbreak, the bug is currently compatible up till iOS 11.1.2 firmware, this means that it affects iMessage apps on macOS High Sierra, iOS 10 to 10.3.3, and iOS 11 to 11.2.1.
A proof-of-concept page has been put together by Masri and shared on Twitter yesterday, but the page has been removed from GitHub due to potential abuses, anyway, a new mirror has been already added.
“chaiOS is a malicious iOS bug that can cause the target device to freeze, respring, drain the battery, and possibly kernel panic. It is developed by the eminent jailbreak developer, Abraham Masri.
Here are the known after-effects once someone opens the malicious link.
It weighs around 7MB and loads some the exploit into user’s browser window and then crashes it.” states Yalu Jailbreak.
Below is a video PoC of the exploitation of the bug:
Researchers observed that the chaiOS Text Bomb can also affect Windows systems, it can also crash Chrome and Firefox web browsers.
The download link to the chaiOS is reported on the following page, but please don’t use it.
Below instructions to trigger the bug:
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.