Surprise! Assorted jerks on the internet have weaponized the Unicode-based bug we reported yesterday to insta-crash apps running on an iPhone or a Mac. The result is somewhere between the old Alt + F4 trick and a script kiddie stunt, and it ranges from being annoying to rendering a device unusable, depending on the tenacity of the troll.
The bug causes many iOS and Mac apps to crash when rendering two characters in Telugu, a south Indian language. While anyone can avoid viewing the symbols themselves, problems arise when someone ill-intentioned starts spamming out the symbols or sending them directly to devices where they will be received as a notification.
Droves of Twitter users have taken to tweeting the symbols out over the last day with messages like “read this to log off instantly” and “retweet this to crash anyone using an Apple device,” though luckily most of them don’t have many followers. Still, if the symbol shows up in your @ replies or in the handle of someone who likes one of your tweets, then it’s game over for whatever app you have open (Motherboard writer Joseph Cox learned this the hard way). From what we’ve observed, the only way to get an app working again is to reinstall it from scratch — a time-consuming process, especially if a troll just crashes it all over again.
As captured on Twitter, one security researcher added one of the symbols to his Uber handle as an experiment. “I suspect a crashed phone means you get routed to the next driver… who gets crashed too. Like an Uber routing worm,” he wrote. We reached out to Uber to see if they’re aware of the issue and will update when we hear back.
For now, most of the trolling seems to be on Twitter. A search on both Facebook and Reddit yielded conspicuously few signs of Telugu trolling, so it appears that those platforms may have taken steps to limit the fallout from the iPhone-killing Unicode symbols.
Meanwhile, a thorough blog post by Mozilla engineer Manish Goregaokar suggests that the scope of the Unicode bug could be broader than the two symbols we know. “… From some experimentation, this bug seemed to occur for any pair of Telugu consonants with a vowel, as long as the vowel is not ై (ai),” he wrote. His findings so far:
So, ultimately, the full set of cases that cause the crash are:
Any sequence <consonant1, virama, consonant2, ZWNJ, vowel> in Devanagari, Bengali, and Telugu, where:
consonant2 is suffix-joining – i.e. र, র, য, and all Telugu consonants
If consonant2 is र or র, consonant1 is not the same letter (or a variant, like ৰ)
vowel is not ై or ৌ
TechCrunch has reached out to Twitter, Facebook and Reddit to see how those platforms are handling the bug, which is particularly destructive when blasted out on an open social network. We’ve also been in touch with Apple and they’ve confirmed that there is a “dot update” fix coming soon, though declined to confirm if it would be iOS 11.2.6. Apple noted that the bug is fixed in current betas of iOS, tvOS, macOS and watchOS.
Comments
Post a Comment