back to article Text bomb, text bomb, you're my text bomb! Naughty HTML freezes Messages, Safari, etc

A specially crafted webpage will knacker Apple's Messages and Safari software on iOS and macOS, allowing miscreants to spread merry mischief by texting fans a link to the dastardly HTML. The page also causes other programs, such as TextEdit on Macs, to hang when opened. This is due to, from what we can tell, it being stuffed …

  1. Anonymous Coward
    Anonymous Coward

    Downplayed

    As usual... You will lose all your iMessages if you get hit by this, meaning starting afresh.

    That's more than a nuisance. Its actual dataloss.

    Compare it to the storm in a teacup that was android stagefright, which despite all the noise was never successfully executed in the wild, it's clear to see that this isn't a level playing field.

    There are a few deserving bellends I know with iPhones that think everything apple does is wonderful, so they all got some texts from an online web based SMS service yesterday :-)

    Plenty of mirrors, make sure you're is still live before sending to deserving recipient.

    1. Anonymous Coward
      Anonymous Coward

      Re: Downplayed

      "As usual... You will lose all your iMessages if you get hit by this, meaning starting afresh."

      ...

      "There are a few deserving bellends I know with iPhones that think everything apple does is wonderful so they all got some texts from an online web based SMS service yesterday"

      Sorry but if you're deliberately causing people to lose data, you're a tool. I could understand taking advantage of a "crash a device" bug as a prank, but to actually (and deliberately) cause loss of data is not funny, and quite possibly illegal.

      Please do think before acting.

      1. Anonymous Coward
        Anonymous Coward

        Re: Downplayed

        Don't be a iPhone bellend and you likely won't have a problem.... I did hear once that a handful of them existed somwehere..

      2. Anonymous Coward
        Anonymous Coward

        Re: Downplayed

        And your evidence that a crime has been committed, is because someone said so on the internet... You need to listen to yourself sometime.

        As it happens, I didn't send any iPhone owners this, as they ones I know, they are bellends not worth the effort...

    2. jake Silver badge

      Re: Downplayed

      One wonders if the AC thinks s/he's really anonymous, and doesn't realize that ElReg has the logs to finger him/her ... Hint to the AC: Remember that email address you used to sign up?

      1. Anonymous Coward
        Anonymous Coward

        Re: Downplayed

        " Hint to the AC: Remember that email address you used to sign up?"

        I can create an anonymous email address in gmail via Tor in 20 seconds. Far more useful would be the IP address they normally connect from - unless they're using Tor for that but I doubt it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Downplayed

          > I can create an anonymous email address in gmail via Tor in 20 seconds.

          In GMail? I really doubt that. From what I have seen, it already takes more than 20 seconds (and an SMS?) to create one via a normal connection.

          Anyway, you wouldn't believe the amount of people who sign up to random things using their actual email address. :-( There is a good chance that the sorry fud above really did that. Nevertheless, you are quite right that IP history would be a better predictor.

    3. JimboSmith Silver badge

      Re: Downplayed

      There are a few deserving bellends I know with iPhones that think everything apple does is wonderful, so they all got some texts from an online web based SMS service yesterday

      So by the same token if someone did a similar thing to you, then you'd be happy to accept the loss of your data? That still doesn't excuse what you did which was repulsive.

    4. Lord_Beavis
      FAIL

      Re: Downplayed

      If you are using iMessages as an archive, you're the tool.

    5. Mayday
      Stop

      Re: Downplayed

      "As usual... You will lose all your iMessages if you get hit by this, meaning starting afresh."

      Not quite, if you delete the iMessage conversation in question with the nasty link you will only lose that particular conversation, not every single conversation on your iDevice.

  2. Pascal Monett Silver badge
    Facepalm

    "Do not use for bad stuff"

    It is interesting to observe that highly intelligent people capable of finding such loopholes are nonetheless hopelessly naive when it comes to judging human character.

    Did he really think that just saying "don't do bad" would be enough ? Well, as the first poster demonstrates, it isn't.

    1. NickyD

      Re: "Do not use for bad stuff"

      "Did he really think that just saying "don't do bad" would be enough ? Well, as the first poster demonstrates, it isn't."

      He probably thinks its a legal disclaimer, "sorry occifer, I told them not to be naughty so its not my fault".

    2. This post has been deleted by its author

    3. Anonymous Coward
      Anonymous Coward

      Re: "Do not use for bad stuff"

      He clearly wanted attention and he'll get way more attention by spreading a bug without a fix so it has a real impact and gets noticed by the Register, rather than notifying Apple and only disclosing after the patch is out when it is out. Had he done the latter, it would just be in the list of fixes for iOS 11.3 or whatever and neither the Register or anyone else would mention him by name.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Do not use for bad stuff"

        But this the 'chief tat slinger' we are talking about. If Cupertino fixed the problem before it was announced then we'd have to find some other bit of wet and smelly fish to slap them around the head with.

        Sometimes, (well mostly) they deserve it but often they don't but who cares eh?

        Keep Calm and Carry On {dissing Apple}

        1. Anonymous Coward
          Anonymous Coward

          Re: Keep Calm and Carry On {dissing Apple}

          The Reg disses all equally. If you're getting upset by that I suggest you look to your own prejudices.

        2. Anonymous Coward
          Anonymous Coward

          Re: "Do not use for bad stuff"

          Is it just me, but isn't this an old story? Vaguely remember reading about this a year or so ago? Can't be arsed to look at the moment

    4. JimboSmith Silver badge

      Re: "Do not use for bad stuff"

      It is interesting to observe that highly intelligent people capable of finding such loopholes are nonetheless hopelessly naive when it comes to judging human character.

      Did he really think that just saying "don't do bad" would be enough ? Well, as the first poster demonstrates, it isn't.

      I'm reminded of something Sir Pterry wrote:

      “Some humans would do anything to see if it was possible to do it. If you put a large switch in some cave somewhere, with a sign on it saying 'End-of-the-World Switch. PLEASE DO NOT TOUCH', the paint wouldn't even have time to dry.”

      Thief of Time by Terry Pratchett

      1. Anonymous Coward
        Anonymous Coward

        Re: "Do not use for bad stuff"

        “Some humans would do anything to see if it was possible to do it. If you put a large switch in some cave somewhere, with a sign on it saying 'End-of-the-World Switch. PLEASE DO NOT TOUCH', the paint wouldn't even have time to dry.”

        Thief of Time by Terry Pratchett

        Sounds like something BOFH would use as the basis for a 'Stupid People Eliminator'

  3. John Smith 19 Gold badge
    FAIL

    Wow. It's 2018 and "terminals" can still be hosed by sending files of control characters.

    Just like my dad used to do back in the day.

    Unf**kingbelieveable.

    I though HTML default rule was "If it's not properly formed HTML ignore it"

    1. Anonymous Coward
      Anonymous Coward

      Re: Wow. It's 2018 and "terminals" can still be hosed by sending files of control characters.

      The problems doesn't look to be in HTML itself, but in the OS font parser. Displaying variable fonts with all the typographical bells and whistles is an hard job. Also, fonts weren't designed with hackers in mind...

      1. Anonymous Coward
        Anonymous Coward

        Re: Wow. It's 2018 and "terminals" can still be hosed by sending files of control characters.

        "Displaying variable fonts with all the typographical bells and whistles is an hard job."

        Its not really. utf8 code maps to font character data, character gets drawn. I don't see the problem unless somehow they're defining new font characters on the fly or calling font drawing routines direct. Of course if we still had bitmap fonts instead of this fancy vector stuff it wouldn't be an issue in the first place! Now get off my lawn!

        1. Anonymous Coward
          Anonymous Coward

          Re: Wow. It's 2018 and "terminals" can still be hosed by sending files of control characters.

          Anti-aliasing, screen DPI scaling, kerning and graphics acceleration are a few extra complications to consider.

          1. Anonymous Coward
            Anonymous Coward

            Re: Wow. It's 2018 and "terminals" can still be hosed by sending files of control characters.

            "Anti-aliasing, screen DPI scaling, kerning and graphics acceleration are a few extra complications to consider."

            Fonts are just small vector drawings, there's nothing special about them in particular. The OS doesn't care whether they're a letter or an emoji. Now either there's an issue with the HTML/URL parser, the font mappings, the font drawing routines or the standard graphics subsystems used to render them. If it was the last 2 we'd have probably seen this bug long before now IMO.

        2. Brangdon

          Re: typographical bells and whistles

          It's really not as simple as each Unicode code point mapping to a single character outline. An accented character like à can be stored as two code points, one for the 'a' and one for the accent. Or an 'f' and an 'i' might need to be combined into a ligature. Some scripts take that to extremes, with what appears to the user as a single shape being made from multiple code points the combine in complex ways. Add in changes of direction for right-to-left scripts. Think Chinese or Indic languages.

          1. handleoclast
            Coat

            Re: typographical bells and whistles

            Some scripts take that to extremes, with what appears to the user as a single shape being made from multiple code points the combine in complex ways.

            For more on combining modifiers, see this.

        3. Anonymous Coward
          Anonymous Coward

          "maps to font character data, character gets drawn"

          The encoding or character set don't really matter. It's the "character gets drawn" parts that gets tricky. It's just an index into the mathematical description of a glyph - and it can also depends on the previous and following characters - that's when ligatures, kerning, and other techniques are employed to *calculate* the actual pixels to be sent to the graphic device, and to deliver visually pleasing "text".

          Just that's code running, and if it has bugs, it could be exploited just sending a given sequence of characters.

          You can easily spot an amateurish document (or any kind of text display) - it lacks many of the finest features text can use.

          Sure, bitmaps fonts didn't have such issues, just they are very ugly to see, especially when upsampled or downsampled. But typography is more than 500 years old, and got us used to specific ways to display good text, and they are used because the human eye is sensitive to them, and they really improve reading.

        4. Anonymous Coward
          Anonymous Coward

          Re: Wow. It's 2018 and "terminals" can still be hosed by sending files of control characters.

          > Its not really. utf8 code maps to font character data, character gets drawn. I don't see the problem

          Possibly you don't see the problem because of unfamiliarity with how font rendering actually works. Think of a string of characters (code points) to be rendered as a program with such things as control flow and subroutines.

  4. joed

    and not just Apple's stuff

    The link did some funky stuff in Firefox on Windows. The browser literally stalled but eventually I managed to close the tab

  5. Major N

    It seems View Source in IE11 (damn corporate restrictions) also hangs pretty hard....

    1. Anonymous Coward
      Anonymous Coward

      What about when you view the message?

      1. Anonymous Coward
        Anonymous Coward

        Then you see ...

        Tom Jones

  6. Hans 1
    Meh

    It just seems to be a Open Graph protocol meta tag with weird content, pasting that into a text file makes notepad++ freeze a bit, and crashes Cygwin when you attempt to cat it ... it contains 10540255 utf-8 characters, from what I can see.

    7.5 Mb in the content attribute of a meta tag!

    More on Open Graph protocol can be found here: http://ogp.me/

  7. Anonymous Coward
    Anonymous Coward

    "It just seems to be a Open Graph protocol meta tag with weird content, pasting that into a text file makes notepad++ freeze a bit, and crashes Cygwin when you attempt to cat it ... it contains 10540255 utf-8 characters, from what I can see.

    7.5 Mb in the content attribute of a meta tag!"

    I don't know if it is related but trying to view the raw html on Github using Chrome on a Windows box caused strange black streaks in the characters.

    Chromes "view source" fails on the link given on the link in the article as well.

  8. Anonymous Coward
    Anonymous Coward

    Border patrol

    I remember an El Reg users comment on an article about data being seized from devices by border agents wondering if a "text bomb" could bork the agents device if extracted and viewed.

  9. Prosthetic Conscience
    Flame

    "and their Messages app fetches it automatically to display a preview"

    THIS. Why does every "modern" app have to do this shite!!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like