A flaw in the Messages
application used widely on iOS devices has been revealed through a denial-of-service (DoS) attack
on a group of jailbreak app developers. The program is subject to simple "flood" type attacks in which an attacker automatically sends messages incredibly rapidly, effectively rendering an account useless. Grant Paul
, who goes by "chpwn" on Twitter and was one of the half-dozen victims in the attacks, said that the problem is that "Apple doesn't limit how fast messages can be sent," thus filling up the inbox and requiring the user to clear notifications and text in order to use the app.
Another, known as iH8sn0w
, is well known for his jailbreak tool, reports AppleInsider
. "On Wednesday night, my private iMessage handle got flooded," he told TheNextWeb
, and discovered that simple "automated flood" messages can render the app practically useless, or complex texts using Unicode characters or are very large in size can cause the app to completely crash, particularly if it tries to render "Zalgo"
text. He has since created a proof-of-concept AppleScript that demonstrates how easy it is to create and send recurring messages that would effectively block use of Messages.
Paul was able to find a method of deleting the complex texts that were crippling the app, but noted that the attackers were using disposable, temporary email addresses to send the attacks, leaving no effective way to block future attacks. Apple has been notified of the vulnerabilities but has not yet responded on the issue, however iH8sn0w expressed hope that Apple will begin flaggin excessive messaging at the server level and block attacks from there.