Spot the censored flag. Taiwanese flag emoji denial of service attack.
With the release of iOS 11.4.1 this week, Apple has patched a bug that caused iPhone apps to crash if a user tried to insert the Taiwanese flag emoji, while the locality of their devices was set to China.
The bug was discovered by security researcher and developer Patrick Wardle of Digita Security. It meant that for over two years, it was possible to remotely crash iPhones apps by sending messages with the Taiwanese flag emoji.
Wardle was alerted to the bug by a Taiwanese friend who complained that her iPhone messaging apps would crash when she tried to type Taiwan. In recent version of iOS, the typing in a country name also displays the nation's flag emoji.
To his amusement, Wardle found that he could crash his friend's apps such as iMessage, Facebook Messenger, and WhatsApp consistently by sending her multiple Taiwanese flags.
An analysis of the bug indicated that it was a NULL pointer dereference, a programming error that will reliably crash any related process.
Wardle went further and discovered the bug was triggered by iOS trying to hide the Taiwanese flag on phones where the location had been set to China.
China considers Taiwan as a renegade provice, and does not recognise the sovereignty of the island nation. The two were technically at war with one another until 1979.
As a result of the strained relations between the two countries, the Taiwanese flag is censored in China. The flag emoji won't display on iPhones that are set to China, with Apple having added code to iOS to hide it and show a blank white box with a X in it.
This code was buggy however. Wardle said that "if Apple hadn't tried to appease the Chinese government in the first place, there would be no bug!"
While Apple did not confirm that the censorship code to hide the Taiwanese flag was done to placate the Chinese government, it acknowledged the bug and assigned a Common Vulnerabilities and Exposures index of CVE-2018-4290 to it, and thanked Wardle for finding it.