Malcolm Owen
Details of a now-patched bug in iMessage have been revealed by a Google Project Zero researcher, a problem that could have forced users to wipe and restore their iPhones to get them working again, if they received a malformed message.
Released by Google Project Zero, the search company's bug and vulnerability-discovery team, the issue relates to a specific type of malformed message that is sent out to a victim device. As per usual disclosure rules, the bug was held from public view until either 90 days had elapsed or a patch had been made broadly available to the public, with Apple's release in an iOS 12.3 update fixing the bug and allowing for it to be revealed.
Specifically, the message contains a property with a key value that is not a string, despite one being expected. Calling a method titled IMBalloonPluginDataSource _summaryText, the method assumes the key in question is a string, but does not verify it is the case.
The subsequent call for IMBalloonPluginDataSource replaceHandlewithContactNameInString calls for im_handleIdentifiers for the supposed string, which in turn results in a thrown exception.
While the message can affect both Mac and iPhone, they do so in different ways. For macOS, the error causes "soagent" to crash and respawn, making it a relatively brief issue where, at worst, the Messages app stops working.
On iPhone, the code is in Springboard, and will repeatedly load, crash, and reload itself to a point that the UI cannot be displayed and the iPhone ceases to respond to input by the user. As the problem survives a hard reset, and starts occurring again after unlocking the iPhone, the only known solution is to reboot into recovery mode and restore the device.
As part of the disclosure, Google Project Zero has also released instructions to reproduce the issue.
AppleInsider recommends users keep their iPhones up to date where possible, and to retain backups of their devices and stored data.
Malformed messages have been the source of some issues for iMessage users in the past. One major example is the "Black Dot" Unicode bug from 2018 that abused invisible characters to crash the app on iPhones and iPads running iOS 11.3.
Another 2018 "text bomb" exploited unoptimized rendering processes for OpenGraph page titles to create excessively long tags, again causing crashes. Another from 2015 used a single line of Arabic script to consume iOS resources when rendering, but only when it appeared as a notification.
Amber Neely
Andrew Orr
William Gallagher
Christine McKee
AppleInsider Staff
Chip Loder
12 Comments
Good work Google Project Zero!
Still waiting on Apple to allow updates through LTE rather than WiFi only. (Usually just 200-300MB)
Yep, I’m a broken record... Call me crazy but I think security updates are important.
This bug keeps happening because it has never actually been fixed. Perhaps Apple should stop masking the bug by avoiding specific malformed messages and fix the underlying bug which is that iMessage has the capability to brick iPhones. At the worst, iMessage should fail to deliver a bad message. It should not be able to brick your device. I have been developing iOS apps for over a decade and have never seen a bug in my app brick one of my iOS devices even in the most catastrophic data corruption situations.
I thought "to brick" meant to make something totally unrecoverable except by the manufacturer with certain tools. From the web: "First of all, lets get something straight. Most people use the term 'bricked' improperly. A bricked phone means one thing: your phone won't turn on in any way, shape or form, and there's nothing you can do to fix it. It is, for all intents and purposes, as useful as a brick. A phone stuck in a boot loop is not bricked, nor is a phone that boots straight into recovery mode. These are things you can usually fix, and they're a lot more common than a truly bricked phone. If your phone is actually bricked, you won't be able to fix it yourself..." Since the problem described in this article allows you to boot into recovery mode, it is not "bricked" by this standard definition.
Both 'bricked' and 'vaporware' have become misused so often and for so long they now have taken on a different meaning. I still use them old school.