Security Week 18: text bomb for iOS

If an imaginary collection of the best hits is collected from different types of vulnerabilities, then various kinds of input processing errors will occupy the best places there. One of the oldest ways to disable a program or an entire system is zip bomb – A small archive that is deployed, depending on the time era, in hundreds of megabytes, gigabytes or petabytes of data. But then the archive, it still needs to be downloaded and try to unpack. Text bombs are much more interesting – messages whose format leads to a program crash or the collapse of the entire system. In the world of instant messengers and mobile devices, this is especially true.

Last week, a single-message suspension mechanism for mobile devices was discovered in the iOS operating system for Apple mobile devices (news) iOS incorrectly processes at least one language character cindhi, one of the official languages ​​in Pakistan, included in the Unicode standard. When displaying such a symbol on a phone or tablet, failures of varying degrees of difficulty occur, in the worst case, a reboot of the device is required. A message with a difficult symbol must be displayed on the screen, in the client of the social network or in the messenger, but a failure is also caused when the notification is displayed, if the message preview is enabled. In other words, after a reboot, you can run into a crash of software or the whole system again if someone decided to completely control you.

The discoverer of the text bomb is unknown. On Reddit, in the jailbreak community of iPhones, posted a homemade patch from this misfortune, mentioning the messages on Twitter (as in the screenshot at the beginning of the digest) that were distributed last week, for some reason with the addition of the Italian flag to the symbol from the Sindhi language. The flag does not participate in the operation of the bug. To avoid mass trolling, the publication of characters a la naturel was strictly prohibited in this community. You can peek at the character code in code patch for “hacked” iPhones. We will not publish it right here and we do not advise you. Not funny. This is a bug, but not a vulnerability: software crashes do not lead to code execution, at least there were no such messages. In the current beta version of iOS, the problem is solved, but before the official release of the update in social networks and instant messengers, a chant of revelry is likely.

The beta version of iOS 13.4.5 also closed two bugs in the mail client Apple Mail (news) According to the team Zecops, both vulnerabilities lead to data leakage from the mail client when opening a prepared message. ZecOps claims that the old version of iOS 6 is also affected, and that since 2018, vulnerabilities have been exploited by unnamed attackers “in the fields”. Apple, however, believes that it cost without active attack: “There is no immediate threat to users.”

If the text bomb in iOS is just annoying, what about a malicious GIF that allows you to steal access to your account in the Microsoft Teams service? This vulnerability was discovered by CyberArk (news, study) Researchers found a weak point not in the image processor, but in a mechanism that allows you to track who shared what in this platform for collaboration. Since Microsoft Teams can integrate a cloud service, private corporate servers, and software on users’ computers, a rather complicated system of image attribution with the transfer of tokens identifying the subscriber was needed. Add to this two subdomains on the Microsoft website, the traffic to which theoretically can be switched to the attacker using the procedure sub-domain takeover, and we get the following scenario. You send the prepared GIF to the user. The picture is registered in the service with the transfer of user tokens to the * .microsoft.com subdomain. The attacker redirects traffic to this subdomain to himself and receives a token. Using authorization keys, you can already access the cloud service API on behalf of the affected user and receive various private information about the internal structure of the company.

What else happened

Nintendo Confirmed breaking into 160 thousand accounts through the Nintendo Network ID system. This is a legacy system, used, in particular, for accounts in the Nintendo 3DS and Wii U consoles. But through this old account you could also get into the company’s modern network service, servicing, for example, Nintendo Switch. Hacking NNID has already led to the theft of virtual money from user accounts.


Leaked source code for Team Fortress 2 and CS: GO multiplayer games. The source codes, usually distributed privately and only among the developer’s partners, Valve Software, were publicly available. According to Valve, this is a “reload” of the sources that have already surfaced on the network in 2018, so you should not expect the appearance of new exploits to attack gamers.

Last week was widely discussed a leak a database of 25,000 email addresses and passwords, allegedly owned by employees of the World Health Organization, the Bill and Melinda Gates Foundation, and the Wuhan Institute of Virology. Most likely, this is a sample from a huge database of earlier leaks from network services, which someone made for the sake of the day. Meanwhile, according to the Google Threat Analysis Group (and other companies), the topic of COVID-19 is actively is used in phishing attacks on government agencies in different countries.

Interesting discovered example trustworthy password phishing for Skype messenger.

At Palo Alto Networks investigated botnet targeting vulnerable Zyxel NAS devices. And in ESET analyzed vulnerabilities in hubs for a smart home of three different manufacturers. The bad news: there is the possibility of remotely intercepting control over the entire home IoT infrastructure. The good news is that the vulnerabilities investigated are already covered by manufacturers, some of them have long been closed. The bad news: not all hub owners deliver updates on time.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *