Apple Patches ChaiOS Flaw: Update Your iPhones, Macs Now
Editor's Note: This story has been updated per Apple releasing iOS and macOS updates to patch the flaw.
Don't let your local joker know, but you can bring the Messages app on an iPhone, iPad or Mac to a grinding halt with a single link. If you click on the link — iabem97[.]github[.]io/chaiOS/ — it will give the app the technical equivalent of a brain-freeze, eventually forcing it to restart.
This kind of attack is commonly referred to as a "text bomb," and it's the latest in a series of attacks that includes 2015's Effective Power attack. The news of this flaw comes from Abraham Masri, an iPhone jailbreaker who goes by @cheesecakeufo on Twitter.
What To Do
Today (Jan. 23), Apple released iOS 11.2.5 and macOS 10.13.3, which reportedly contains fixes for this text bomb attack. To update your iPhone or iPad, open Settings, tap General, tap Software Update and tap Download and Install. On a Mac, click the Apple icon in the top right corner, select App Store, click Updates, and click Update next to the entry for macOS.
And as we often say: Never click links you don't trust. While Apple told BuzzFeed that it will include a fix in "a software update next week," it's a good rule of thumb to not click suspicious links. Also, delete the text message thread as soon as you see it, as some claim ChaiOS could load on its own, although we didn't see this during our testing.
If your Messages app is still stalling, and refuses to reboot itself out of this frozen state, try the trick I used to save my phone from this digital stasis. After opening Safari and navigating to the address https://vincedes3[.]com/save.html and tapping Open, my Messages app began to work again.
This process seemed a bit flawed, though, as I saw a plethora of ads for online gambling, and the end result started a new text message to the person who created this fix. I found this fix by reading the replies to Masri's tweet.
Also, for this and other instances of text bomb attacks, you might be better off blocking Safari from even opening the entire site that hosts the malicious content. In Settings, tap General, then Restrictions, then Enable Restrictions, enter your PIN (or create one) then Websites, then Limit Adult Content.
Then, under Never Allow, tap Add a Website, type "github.io" (or the domain of a future text-bomb attack) and tap Done. This solution may be too much, though, as you may need access to the domain hosting the malicious content (though most non-developers will not need to access Github) and that you'll now need to remember a password if you ever want to open a site that Safari believes to house adult content.
While most can wait for Apple to release its patches, there is one last-ditch effort you can take if your Messages app is still stuck. Unfortunately, it's resetting your iPhone to factory settings, something you should only do as long as your photos and other data have been backed up. This option is found in Settings, under General > Reset > Erase All Content and Settings.
How ChaiOS Works
In his announcement, Masri explained that all you need to do is "text the link" for it to "freeze the recipient's device, and possibly restart it." Thankfully, it's not that easy. Formerly, Apple devices would automatically preview links, but we saw a Tap To Preview message when a colleague texted this address to my device.
After we clicked the link, the Messages app tried to load a preview, and then froze, becoming completely unresponsive. Force-quitting the app didn't work, and we had to wait for the app to reboot itself.
A blog post by the security blogger Graham Cluley shows that this site contains code that looks pretty crazy, kind of like the scrolling walls of text from The Matrix, but in blue-and-white.
Fortunately, the chaiOS link doesn't put your device or data in any danger. Still, this kind of annoying flaw is the kind of thing that could drive you batty for a few minutes and leave you upset with the prankster who sent it to you.
Best Mac Antivirus Software