Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Fixed iMessage bug bricked iPhones using malformed message

Details of a now-patched bug in iMessage have been revealed by a Google Project Zero researcher, a problem that could have forced users to wipe and restore their iPhones to get them working again, if they received a malformed message.

Released by Google Project Zero, the search company's bug and vulnerability-discovery team, the issue relates to a specific type of malformed message that is sent out to a victim device. As per usual disclosure rules, the bug was held from public view until either 90 days had elapsed or a patch had been made broadly available to the public, with Apple's release in an iOS 12.3 update fixing the bug and allowing for it to be revealed.

Specifically, the message contains a property with a key value that is not a string, despite one being expected. Calling a method titled IMBalloonPluginDataSource _summaryText, the method assumes the key in question is a string, but does not verify it is the case.

The subsequent call for IMBalloonPluginDataSource replaceHandlewithContactNameInString calls for im_handleIdentifiers for the supposed string, which in turn results in a thrown exception.

While the message can affect both Mac and iPhone, they do so in different ways. For macOS, the error causes "soagent" to crash and respawn, making it a relatively brief issue where, at worst, the Messages app stops working.

On iPhone, the code is in Springboard, and will repeatedly load, crash, and reload itself to a point that the UI cannot be displayed and the iPhone ceases to respond to input by the user. As the problem survives a hard reset, and starts occurring again after unlocking the iPhone, the only known solution is to reboot into recovery mode and restore the device.

As part of the disclosure, Google Project Zero has also released instructions to reproduce the issue.

AppleInsider recommends users keep their iPhones up to date where possible, and to retain backups of their devices and stored data.

Malformed messages have been the source of some issues for iMessage users in the past. One major example is the "Black Dot" Unicode bug from 2018 that abused invisible characters to crash the app on iPhones and iPads running iOS 11.3.

Another 2018 "text bomb" exploited unoptimized rendering processes for OpenGraph page titles to create excessively long tags, again causing crashes. Another from 2015 used a single line of Arabic script to consume iOS resources when rendering, but only when it appeared as a notification.



12 Comments

seanismorris 8 Years · 1624 comments

Good work Google Project Zero!

Still waiting on Apple to allow updates through LTE rather than WiFi only. (Usually just 200-300MB)

Yep, I’m a broken record...  Call me crazy but I think security updates are important.

OutdoorAppDeveloper 15 Years · 1292 comments

This bug keeps happening because it has never actually been fixed. Perhaps Apple should stop masking the bug by avoiding specific malformed messages and fix the underlying bug which is that iMessage has the capability to brick iPhones. At the worst, iMessage should fail to deliver a bad message. It should not be able to brick your device. I have been developing iOS apps for over a decade and have never seen a bug in my app brick one of my iOS devices even in the most catastrophic data corruption situations.

22july2013 11 Years · 3736 comments

I thought "to brick" meant to make something totally unrecoverable except by the manufacturer with certain tools. From the web: "First of all, lets get something straight. Most people use the term 'bricked' improperly. A bricked phone means one thing: your phone won't turn on in any way, shape or form, and there's nothing you can do to fix it. It is, for all intents and purposes, as useful as a brick. A phone stuck in a boot loop is not bricked, nor is a phone that boots straight into recovery mode. These are things you can usually fix, and they're a lot more common than a truly bricked phone. If your phone is actually bricked, you won't be able to fix it yourself..." Since the problem described in this article allows you to boot into recovery mode, it is not "bricked" by this standard definition.

kimberly 10 Years · 434 comments

I thought "to brick" meant to make something totally unrecoverable except by the manufacturer with certain tools. From the web: "First of all, lets get something straight. Most people use the term 'bricked' improperly. A bricked phone means one thing: your phone won't turn on in any way, shape or form, and there's nothing you can do to fix it. It is, for all intents and purposes, as useful as a brick. A phone stuck in a boot loop is not bricked, nor is a phone that boots straight into recovery mode. These are things you can usually fix, and they're a lot more common than a truly bricked phone. If your phone is actually bricked, you won't be able to fix it yourself..." Since the problem described in this article allows you to boot into recovery mode, it is not "bricked" by this standard definition.

That was my understanding of 'bricked' too.

macgui 17 Years · 2471 comments

Both 'bricked' and 'vaporware' have become misused so often and for so long they now have taken on a different meaning. I still use them old school.