iPhone ‘chaiOS’ bug can freeze your phone with a single link

A bug has been discovered in iOS that crashes the Messages app and can freeze or restart your phone when you’re sent a specially-engineered website link.

The bug was discovered by software developer Abraham Masri, who gave it the catchy — if slightly alarmist — name of “chaiOS.” It exploits the fact that Messages preloads any links to webpages so it can show users a preview of the page. Speaking to BuzzFeed News, Masri explains that he created a webpage hosted on GitHub and stuffed its metadata with hundreds of thousands of unnecessary characters. Masri suggests that Messages crashes when trying to load all of this unexpected information, sometimes taking the entire operating system down with it.

Judging by user reports, the bug doesn’t work consistently. Sometimes it crashes Messages, sometimes it causes lag, sometimes it freezes the device, and sometimes it triggers what’s known as a “respring” (when iOS reboots the software called SpringBoard and kicks the user back to the lock screen). Masri tested chaiOS successfully on the iPhone X and iPhone 5S, and says it only affects versions of iOS from 10.0 to 11.2.5 beta 5. The bug can also crash Messages on macOS.

Thankfully, finding working copies of a buggy chaiOS link isn’t easy. Masri initially hosted the bug on GitHub, but this link, along with a number of other mirrors uploaded by third-parties, has now been taken down by the site. Masri himself says he isn’t going to re-upload the bug, saying he only released it “to get Apple’s attention.”

No, I'm not going to re-upload it. I made my point. Apple needs to take such bugs more seriously.

— Abraham Masri (@cheesecakeufo) January 17, 2018

If someone has sent you a copy of the bug and it’s currently stopping you from using Messages on your iPhone, there are a couple of fixes you can try:

• Block the domain of site hosting it. So, if the link is coming from GitHub, for example, go to your Safari settings, then General > Restrictions > Enable Restrictions > Websites > Limit Adult Content > Never Allow > GitHub.io.
• Delete the thread the link was sent in. We’ve seen mixed reports about whether this method works — it depends if you can quickly delete the thing before the app crashes.
• Reset your iPhone to factory settings. This is an extreme measure as it’ll delete all your files, photos, etc. Don’t do this unless you’ve backed up your phone, and even then, it’s probably better to just...
• Wait for a patch. We expect Apple will be sending one out soon enough, although the company didn’t respond to our request for comment, or give any additional details on what it’s doing to fix chaiOS.

This isn’t a new breed of bug for the iPhone. Similar strings of text or dodgy web links have caused shutdowns in iOS in both 2015 and 2016. And at this point chaiOS is more of an annoyance than anything else.

Still, considering the end of last year was a particularly bad time for Apple’s software, we hope the company is more alert and responsive in 2018.