Fixed iMessage bug bricked iPhones using malformed message

Released by Google Project Zero, the search company's bug and vulnerability-discovery team, the issue relates to a specific type of malformed message that is sent out to a victim device. As per usual disclosure rules, the bug was held from public view until either 90 days had elapsed or a patch had been made broadly available to the public, with Apple's release in an iOS 12.3 update fixing the bug and allowing for it to be revealed.

Specifically, the message contains a property with a key value that is not a string, despite one being expected. Calling a method titled IMBalloonPluginDataSource _summaryText, the method assumes the key in question is a string, but does not verify it is the case.

The subsequent call for IMBalloonPluginDataSource replaceHandlewithContactNameInString calls for im_handleIdentifiers for the supposed string, which in turn results in a thrown exception.

While the message can affect both Mac and iPhone, they do so in different ways. For macOS, the error causes "soagent" to crash and respawn, making it a relatively brief issue where, at worst, the Messages app stops working.

On iPhone, the code is in Springboard, and will repeatedly load, crash, and reload itself to a point that the UI cannot be displayed and the iPhone ceases to respond to input by the user. As the problem survives a hard reset, and starts occurring again after unlocking the iPhone, the only known solution is to reboot into recovery mode and restore the device.

As part of the disclosure, Google Project Zero has also released instructions to reproduce the issue.

AppleInsider recommends users keep their iPhones up to date where possible, and to retain backups of their devices and stored data.

Malformed messages have been the source of some issues for iMessage users in the past. One major example is the "Black Dot" Unicode bug from 2018 that abused invisible characters to crash the app on iPhones and iPads running iOS 11.3.

Another 2018 "text bomb" exploited unoptimized rendering processes for OpenGraph page titles to create excessively long tags, again causing crashes. Another from 2015 used a single line of Arabic script to consume iOS resources when rendering, but only when it appeared as a notification.