Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > 'Pranksters' behind spate of iMessage DoS attacks?

'Pranksters' behind spate of iMessage DoS attacks?
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Mar 29, 2013, 10:53 PM
A flaw in the Messages application used widely on iOS devices has been revealed through a denial-of-service (DoS) attack on a group of jailbreak app developers. The program is subject to simple "flood" type attacks in which an attacker automatically sends messages incredibly rapidly, effectively rendering an account useless. Grant Paul, who goes by "chpwn" on Twitter and was one of the half-dozen victims in the attacks, said that the problem is that "Apple doesn't limit how fast messages can be sent," thus filling up the inbox and requiring the user to clear notifications and text in order to use the app.

Another, known as iH8sn0w, is well known for his jailbreak tool, reports AppleInsider. "On Wednesday night, my private iMessage handle got flooded," he told TheNextWeb, and discovered that simple "automated flood" messages can render the app practically useless, or complex texts using Unicode characters or are very large in size can cause the app to completely crash, particularly if it tries to render "Zalgo" text. He has since created a proof-of-concept AppleScript that demonstrates how easy it is to create and send recurring messages that would effectively block use of Messages.

Paul was able to find a method of deleting the complex texts that were crippling the app, but noted that the attackers were using disposable, temporary email addresses to send the attacks, leaving no effective way to block future attacks. Apple has been notified of the vulnerabilities but has not yet responded on the issue, however iH8sn0w expressed hope that Apple will begin flaggin excessive messaging at the server level and block attacks from there.

Forum Regular
Join Date: Dec 1999
Location: Brightwaters, NY
Status: Offline
Reply With Quote
Mar 31, 2013, 08:42 PM
A few simple lines of code on Apple's end can easily fix this; No more than 1 message per person per second can be sent.

Also, hopefully in the future Apple will add blocking in iOS 7, so you can ban certain people from contacting you.
Fresh-Faced Recruit
Join Date: Jun 2007
Status: Offline
Reply With Quote
May 8, 2013, 04:17 PM
Surprised this wasn't figured out sooner. iMessage is an open gate that once your ID gets figured out can be flooded. Putting a limit of one message per second still means 3600 incoming messages an hour.

Limits would have to be set in a way to stop the DoS damage, but still allow regular messages through. And an overall blocking mechanism would be great too, to keep out those peskys that try and get through. If blocking could also be implemented with SMS and phone calls, that would be awesome.

Yes, blocking a specific iMessage account can be thwarted by the spammer creating another account, but that takes time on their end, and if Apple sees a huge number of accounts being created from the same address, they can take action specifically.

The extra scary thing is that you can randomly enter in phone numbers into iMessage, and it'll tell you if that number has an iMessage account associated with it. Pretty easy to script something like that if you wanted to.
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Privacy Policy
All times are GMT -4. The time now is 06:40 AM.
All contents of these forums © 1995-2015 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2015, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2