The latest bug causes application meltdown when it tries to render two characters in Telugu, a language from south India. Telugu is the country’s third most-spoken language, with roughly 75 million native speakers, and the fifteenth most-spoken language in the world.
While many can simply avoid using or viewing the symbols, the problem arises when an unscrupulous troll sends the symbols directly to devices, effectively triggering a notification bomb that locks up the phone. “Read this to log off instantly” and “retweet this to crash anyone using an Apple device,” wrote several such online deviants on Twitter. The crash bug can also be deployed in a Twitter user’s ‘@ replies’ or in their handle, meaning it can be pushed out through ‘likes’ or mentions on the platform.
This forces users to reinstall the app from scratch. One security researcher reportedly added one of the ‘weaponized’ symbols to his Twitter handle as an experiment, before attempting to request an Uber. “I suspect a crashed phone means you get routed to the next driver… who gets crashed too. Like an Uber routing worm,” he wrote.
Software engineers at Aloha Browser initially discovered two Unicode symbols in Telugu that crashes any Apple device using the default San Francisco font which includes iPhones, iPads, Macs and watch OS devices with text-displaying screens. Apps such as Mail, Twitter, Messages, Slack, Instagram, Facebook, and in some instances Chrome have confirmed vulnerability to the bug.
It can also wreak havoc when deployed as an SSID (service set identifier) in a WiFi network. For instance, if a user were to input the offending Unicode symbols in their SSID and then use their device as a WiFi hotspot, they could, theoretically, flash crash all Apple devices within range that had their WiFi enabled.
“From some experimentation, this bug seemed to occur for any pair of Telugu consonants with a vowel, as long as the vowel is not ై (ai),” Mozilla engineer Manish Goregaokar wrote in an in-depth blog post on the south Indian language bug.
Apple confirmed that there is a “dot update” fix coming soon, though declined to confirm if it would be iOS 11.2.6. Apple noted that the bug is fixed in current betas of iOS, tvOS, macOS and watchOS.
This is far from the first bug to plague Apple users. In January, Abraham Masri discovered a similar bug in which a specific URL could crash iPhones to which it was sent. Back in 2016, the URL for crashsafari.com was deployed in a similar fashion to crash any Safari or iPhone browser that tried to open it and in 2015, the so-called ‘Unicode of Death’ could be used to overload an iPhone’s memory using several characters in Arabic.
Twitter released an iOS app update Thursday which fixed “a crash that affects users of right-to-left languages such as Arabic and Hebrew,” but did not address the current Telugu bug. Apple claims the issue has been resolved in beta versions of its operating systems and the fix will be disseminated across all platforms as soon as possible, The Guardian reports.
If you like this story, share it with a friend!