Bug in Apple Devices Crashes UI With Four-Character Input (techcrunch.com) 71
A newly discovered bug causes iPhones and iPads to briefly crash. All you need to trigger the bug are just four characters. From a report: On Wednesday, a security researcher found that typing "":: can cause the Apple mobile user interface, called Springboard, to crash. TechCrunch verified those characters do crash Springboard when typed into the Search bar in the Settings app, as well as if you swipe all the way to the right on your home screen and type them into the App Library search bar.
As others noted, all that's needed is actually "": and any other character. Triggering the bug briefly crashes Springboard, then reloads to your lock screen. In other tests, the bug flashed the screen black for a second. Researchers tell TechCrunch the bug does not appear to be a security issue. "It's not a security bug," said Ryan Stortz, an iOS security researcher who analyzed the bug. Patrick Wardle, who also researches iOS and founded security startup DoubleYou, agreed.
As others noted, all that's needed is actually "": and any other character. Triggering the bug briefly crashes Springboard, then reloads to your lock screen. In other tests, the bug flashed the screen black for a second. Researchers tell TechCrunch the bug does not appear to be a security issue. "It's not a security bug," said Ryan Stortz, an iOS security researcher who analyzed the bug. Patrick Wardle, who also researches iOS and founded security startup DoubleYou, agreed.
"Not a security bug" (Score:1)
Maybe it's not a security bug YET, but forcing a restart is likely to be an important step in a chain that is a real security bug.
Re: (Score:2)
I don't think so because it immediately crashes no matter what i put you put in so there's no opportunity there for creativity.
Re: (Score:2)
The horrendously buggy, untested frankencode happens to immediately crash with those characters. What does the negligently-written, liability-inducing frankencode do with a different, less-common combination of characters?
For all we know, the immediate crash is due to the fact that those characters are a backdoor into the OS/2 emulator, a handy utility which Apple thoughtfully included in iOS (until its removal in 2019) to increase the size of its available software library. A VIC-20 emulator loads in its place, but the offset to its startup routine is different. But type a different character in the 3rd position, and it jumps into the cassette tape driver. If you have a tape cassette drive attached at that moment, it might erase your backups!
Forget the USB floppy drives. Let's see a tape backup unit for an iPhone. This is the new nerd retro-quest!
Re: (Score:2, Insightful)
Re:"Not a security bug" (Score:5, Interesting)
Yes. It was stupid and, at his level, either dishonest or incompetent to say that a prompt-injection bug of any kind was "not a security bug".
Not necessarily. It depends on the type of crash:
There are probably exceptions to the above guidelines that I'm not thinking of right now, but that gets you in the ballpark, anyway.
Re: (Score:2)
So, out of the types of crashes you covered, you listed the chances of it being a security bug as:
* Possibly
* Almost never (IE: possibly)
* Maybe 10% (IE: possibly)
* Probably
* Almost certainly
And yet you disagreed with this comment???
Yes. It was stupid and, at his level, either dishonest or incompetent to say that a prompt-injection bug of any kind was "not a security bug".
Unless that guy knows a lot of insider stuff they're not telling us (which would also be kinda dishonest), that seems to hold water.
Re:"Not a security bug" (Score:5, Insightful)
Almost never (IE: possibly)
Within the margin of error of being never. An assertion means that the software realized something was wrong and chose to abort rather than continue. The only way that can be a security bug (unless you consider the ability to use it for denial of service to be a security bug) would be if somehow the assertion fired because of some previous memory corruption, which is just incredibly unlikely to happen without causing a crash earlier. It would be an absolute fluke to find that sort of bug in this way.
So if the crash falls into that category, then it is entirely reasonable for someone to say that it is unlikely to be a security bug.
Also, I kind of object to calling this a prompt injection bug unless there's some good reason to believe that AI/ML models are involved. This seems more likely to be a bug in procedural code, I suspect.
Re: "Not a security bug" (Score:2)
Re: (Score:2)
That's still only one of 5 categories of bug types - the list of which you provided - that is an almost never. Even if that one was a "never a bug" type, that only accounts for 20% of the types of bugs. So again, unless that guy know more than they're letting on, they shouldn't be carte blanche declaring it not a security bug. This isn't even a claim that this _IS_ a security bug, or even that it is likely to be one; It's simply that they shouldn't say it isn't one unless they really really know that, and i
Re: (Score:3)
That's still only one of 5 categories of bug types - the list of which you provided - that is an almost never. Even if that one was a "never a bug" type, that only accounts for 20% of the types of bugs. So again, unless that guy know more than they're letting on, they shouldn't be carte blanche declaring it not a security bug.
The person in question this could trigger the crash on demand, and therefore could also see the crash log, which would clearly indicate whether the crash was a thrown exception or not. The only way what you're saying would make sense would be if the people reporting on it did not own an iPhone or did not know how to do basic logs extraction, which is something most iOS devs do regularly.
Re: (Score:2)
That's still only one of 5 categories of bug types - the list of which you provided - that is an almost never. ...
... The only way what you're saying would make sense would be ...
I'm just summing the totals from the list that YOU provided:
dgatwood said:
Not necessarily. It depends on the type of crash:
Use-after-free assertion failure: Possibly a security bug.
Any other assertion failure: Almost never a meaningful security bug (notwithstanding the potential for DoS).
Null pointer dereference: Maybe a 10% chance of being a security bug.
Non-lowmem segfault caused by a data access instruction: probably a security bug.
Any segfault caused by the instruction pointer: almost certainly a security bug.
There are probably exceptions to the above guidelines that I'm not thinking of right now, but that gets you in the ballpark, anyway.
Are you changing your story now and saying that the bug is certainly an assertion failure that is not a use-after-free assertion?
If it still could be any of those, then my point stands quite well and makes perfect sense.
Re: "Not a security bug" (Score:3)
If you reach a point where security is broken, itâ(TM)s a security bug. If you reach a point where you canâ(TM)t predict how your code continues , you err on the safe side and assume itâ(TM)s a security bug. If you reach a point where your
Re: (Score:2)
Apple seems to have long standing problems with input sanitisation. Over the years there have been a few of these kinds of bugs. I seem to recall one was triggered by receiving an SMS, i.e. remote DOS attack.
Re: (Score:2)
Re: "Not a security bug" (Score:2)
Re: "Not a security bug" (Score:2)
Re: (Score:2)
Re: (Score:2)
World's worst Easter Egg ever!
Re: (Score:2)
The user needs to enter the string - if it can be triggered from outside, it might be a security bug... (Even if it can run arbitrary code, code execution from an "attacker" (user) that already have arbitrary code execution (can install apps) on the device is not a security issue)
If it allows running code with elevate permissions though...
uh'oh (Score:2)
Hope the simulation we live in isn't that easy to crash.
Re:uh'oh (Score:5, Funny)
Hope the simulation we live in isn't that easy to crash.
May I ask why? I for one would love to see the cascading digital failure coming before I cease to exist. Just so I can have one moment of laughter before it all disappears. Maybe the next boot up, 13.8 billion years in, the new me will feel differently, but right now I'm all for mixing it up.
"Anything different is good." -Phil Connors, Groundhog's Day
Re: (Score:2)
Re: (Score:3)
I was so disappointed when I read that the "Big Collapse" - the universe collapsing in on itself, to lead to another Big Bang - was no longer favored as our form of cataclysmic absolution. I mean, I probably won't be here whenever the heat death of the universe happens, but I was really hoping for a collapse so it would wipe out any possible memento of our embarrassing existence.
Recommended read: The End of Everything, Astrophysically Speaking by Katie Mack. Highly entertaining in its own right, it also gives those of us that find comfort in the idea that this is all gonna end at some point hope that we may actually get to experience it. Though some of them would really suck. The vacuum collapse theory really blows, pun intended. We wouldn't get to see that one coming. But there's some truly wild theories out there about different things that could glitch up and send a wave of noth
Re: (Score:2)
Re: (Score:2)
Hope the simulation we live in isn't that easy to crash.
IDK. After reading Katie Mack's (aka: AstroKatie) book, The End of Everything (Astrophysically Speaking) [astrokatie.com] and especially the chapter on Vacuum Decay [cosmosmagazine.com], I'm wary. Granted, it may be unlikely and/or very rare, but sounds easy ...
Re:uh'oh (Score:5, Funny)
Hope the simulation we live in isn't that easy to crash.
Crash, no. That would require that it actually enforce segmentation violations. Instead, it just keeps running and tries to use checksumming and stuff to minimize the amount of data corruption. This is how we got the duck-billed platypus, President Trump, black holes, and Batman.
The platypus was created when two processes running as root wrote to the same section of memory at once.
The Trump presidency was caused by an off-by-one error in a for loop.
Black holes were caused by the slightly broken chipset returning negative infinity when you divide by zero.
Batman was caused by someone inadvertently computing the value of "not a number" raised to the sixteenth power.
Re: uh'oh (Score:2)
Re: (Score:2)
And Slashdot was created because calling it Doublequotecolon led to Spring season ending.
Re: (Score:2)
Re: (Score:2)
fwiw it does not crash (Score:2)
Re: (Score:2)
beta 17.6.1
Must be version specific, because I use an old iPhone running 15.8.3, and nothing happens to mine either.
Other sequences cause a crash (Score:1)
Looks like "": followed by just about any other character causes a crash. Oops.
Orly? (Score:3)
I've got an iPhone 13 Pro running iOS 17.5.1, and this doesn't crash my phone at all. Going to Settings, tapping Search, and typing in "";; simply brings up some search results (nothing very interesting).
Too bad the article didn't specify iOS version, hardware models, etc.
Re: Orly? (Score:3)
Re: Orly? (Score:3)
How exactly do you not use Springboard?
Re: (Score:2)
Re: (Score:2)
you're crashing it wrong!
steve.
Re: (Score:2)
Crashed me out on an xr running 17.6.1. Same on a 15 Pro running 17.6.1
Didn't even have to hit enter, just two quotation marks, two colons, boom, crash.
must be doing something wrong (Score:1)
Re: (Score:1)
Appears fixed in the current beta.
Re: (Score:1)
Yup, I verified it (Score:2)
And it goes to show (Score:3, Insightful)
It doesn't matter how hard Apple try to sell the idea that their stuff is more secure and better engineered than everyone else's: it isn't. All software and every OSes are chock-full of yet-undiscovered dumb bugs and vulnerabilities. Apple's, Microsoft's, Linux', Google's... Everybody's.
Apple's shortcomings are just less visible than Microsoft's. Well, everybody's shortcomings are less visible than Microsoft's in fairness, because Microsoft is exceptionally good at shooting itself in the foot in the most spectacular fashion.
Stupid bugs like this one are a good thing: they remind everybody that Apple's PR is just that: PR.
Re: (Score:3)
the idea that their stuff is more secure and better engineered than everyone else's: it isn't. All software and every OSes are chock-full of yet-undiscovered dumb bugs and vulnerabilities.
You could say that about literally anything, F-150 > Cybertruck, Cybertruck > F-150
They all have undiscovered and known defects, true, nobody disputes that.
Pointing out one F-150 bug or one Cybertruck bug doesn't disprove either assertion. It's just a weird ax to grind.
Apple's hardware and software is better designed than everyone else's, AND all OSes and software have bugs. It's a mind blowing concept.
Re: (Score:2)
And as with most pitches, it's misleading. Apple made $7 billion from selling advertising last year. https://www.statista.com/stati... [statista.com]. That advertising income comes from their ability to...sell your data.
Re: (Score:2)
Re: (Score:2)
OK fanboy, how is it not the same thing? How else does Apple sell ads to you, without selling your data to advertisers? Those two things cannot be separated.
Re: (Score:2)
Re: (Score:2)
If I'm such a moron, then why did you even take the trouble to post a reply? If you're going to say I'm wrong, then be prepared to explain why. If you can't explain why, then what's the point of disagreeing, other than to show that you don't know what you're talking about?
Re: (Score:2)
Re: (Score:2)
Well, you're right about that part! I am definitely too dumb to realize that I'm an idiot just by being told by you that I am. But thanks for clearing that up. Only an idiot would call me a moron and an idiot and other names, without even explaining his original statement and just saying that I'm just wrong. It would require intelligence to do more than just engage in name-calling.
Re: (Score:2)
It doesn't matter how hard Apple try to sell the idea that their stuff is more secure and better engineered than everyone else's: it isn't.
They don't. Their pitch is "we won't sell your data like those assholes at Google."
And yet in the past they were caught doing exactly that
Crashes the current app (Score:2)
Re: (Score:2)
Re: Crashes the current app (Score:3)
Erm... Begs a few questions:
1. Why is a service running that parses text inputs in every app?
2. Why is it that said service is capable of crashing any app at all? I don't know iOS internals but that has an odor of sharing or at least injecting into the same memory space, which is dangerous
3. When will apple ever stop introducing text parsing bugs capable of trashing multiple layers of the software stack? That has an even stronger odor of bad coding practices overall
Re: (Score:2)
Possibly to provide consistent text transformations across apps, so shortcuts like (C) get replaced with the © symbol consistently. (Not to mention all sorts of slashdot-breaking substitutions like smart quotes, ellipses, etc.) Probably also for reasons involving copy/paste, password field inputs, etc. You really don't want every app to have to implement all that internally.
Re: Crashes the current app (Score:2)
Possibly to provide consistent text transformations across apps, so shortcuts like (C) get replaced with the © symbol consistently.
Why on earth would they do it that way instead of having context system? E.g. long press C or adding a symbol button? Less finger movement for sure this way.
You really don't want every app to have to implement all that internally.
You shouldn't even need to in the first place. The fact that we're even having this conversation speaks loudly about just how bad their engineers are.
Because... it's software. How do you propose it be made incapable of crashing?
By using channels to communicate instead of communicating by overwriting shared memory when you have no guarantee of it being safe to do so. That's just really, really bad coding, and it's things like that
Windows does similar when you type (Score:2)
install linux
it deletes all your data, launches CD's at your pets, and then freezes up.
Re: (Score:2)
Maybe you haven't heard, MS actually offers a Linux subsystem: WSL
https://learn.microsoft.com/en... [microsoft.com]
MS has in recent years gone to great lengths to support Linux and open source software. Even .NET itself is now open source, and runs on Linux.
Multiple combos (Score:1)
Though no info has been spread yet, maybe it can be used to enter secret debug menus "debugradio": or "deactivatefaceid":
To briefly crash? (Score:3)
How does a bug like this happen?? (Score:2)
How does a bug like this happen?? It is incomprehensible.