The exploit is made possible by the fact that the Messages app in iOS preloads website links, which allows the app to show users a preview. However, this has the unwelcome side effect of executing code that could otherwise be harmful to the operating system.
In this case, Masri created a webpage on Github that had its metadata overloaded with hundreds of thousands of unnecessary characters. This causes iOS to panic, and repeatedly crashes the Messages app. “The device will freeze for a few minutes," Masri told BuzzFeed. "Then, most of the time, it resprings."
👋 Effective Power is back, baby!— Abraham Masri (@cheesecakeufo) January 16, 2018
Text the link below, it will freeze the recipient's device, and possibly restart it. https://t.co/Ln93XN51Kq
⚠️ Do not use it for bad stuff.
thanks to @aaronp613 @garnerlogan65 @lepidusdev @brensalsa for testing!
While Masri's proof-of-concept webpage was originally hosted on GitHub, the site has since taken down the page and his account was temporarily suspended (it has since been reinstated). “My intention is not to do bad things," said Masri. "My main purpose was to reach out to Apple and say, ‘Hey, you’ve been ignoring my bug reports.’ I always report the bug before releasing something.”
No, I'm not going to re-upload it. I made my point. Apple needs to take such bugs more seriously.— Abraham Masri (@cheesecakeufo) January 17, 2018
It's also possible for chaiOS to wreak havoc with macOS, as there are reports of it crashing the Safari web browser.
"Nasty. But, thankfully, more of a nuisance than something that will lead to data being stolen from your computer or a malicious hacker being able to access your files," added security researcher Graham Cluley. "Readers with long memories will recall that Apple users have been bedeviled by text bomb vulnerabilities like this in the past."