A malicious message dubbed the 'Black Dot' message has started doing the rounds on iOS following circulation on Android devices, one that takes advantage of a bug in Unicode to crash Apple's Messages app on iPhones and iPads running iOS 11.3 and the beta releases of iOS 11.4.
Revealed by EverythingApplePro on YouTube, the message consists of a black dot emoji and a hand pointing to it, sent through the Messages app to another user. The malicious message is capable of crashing Messages once opened, with the issue persisting even if the user forcibly closes the app and re-opens it.
The flaw is similar to another malicious message that recently affected Android users in WhatsApp. A specially-crafted message inviting people to tap on the black dot would crash WhatsApp, but crucially only causing the crash if the symbol is tapped, rather than immediately locking up Messages as found in the iOS version.
Both are seemingly based on the same Unicode text bug, involving a string of thousands of hidden characters, usually used for functions like telling the application if the following text reads from left-to-right or right-to-left, for example. Using thousands of these conflicting characters in succession tasks the processor and consumes vast amounts of memory in the process, in turn causing the crash.
While it is referred to as the "Black Dot" message, the bug actually has nothing to do with the emoji used in the message.
Current workarounds consist of navigating away from the screen displaying the message so it doesn't appear when the app launches. One technique for affected iPhones involves forcing the app to close then using 3D Touch to create a new message, while it is also possible to delete the message from another iOS device connected to the same iCloud account.
Apple has yet to issue a fix for this issue, but one is expected to arrive soon.
The latest bug is reminiscent of a 2015 flaw in Unicode that could cause an iPhone to crash upon receiving a specific message. A single line of Arabic script was found to consume resources when iOS tried to render it in a notification, but at the same time didn't cause issues when received as part of a normal Messages conversation, indicating it to be an issue with the iOS notifications system itself.
Earlier this year, another "text bomb" was found to exploit an unoptimized rendering process for OpenGraph page titles to create an excessively long tag, causing Messages and other apps to crash in both iOS and macOS, and sometimes the operating system itself.
5 Comments
Here we go again... Whoever's the architect of Core Text needs moving on. The Unicode consortium doesn't help matters though, continually adding unnecessary extra emojis and variations thereof makes testing exponentially more difficult.
Yet another reason for me to stay on iOS10.