Two years after the discovery of a bug in Microsoft’s Windows Phone software which would cause the Messaging Hub or even OS to hang if it received a specially crafted SMS or text message via Facebook, the discoverer Khaled Salameh has revealed exactly how to reproduce it.
The bug, which has now been patched, simply required a special character similar to this U to be sent to the victim.
If you send the resulting text to any Windows Phone 7 or 7.5 device that doesn’t run the Tango update, the SMS hub will crash instantly and will no longer work and if for some reason you name is pinned to the start screen and it is posted on Facebook and synced to the start screen, the entire phone will hang.
Khaled notes that Microsoft was extremely slow to respond to the news, initially and right throughout the process, and that Khaled was at one point offered $50,000 to give the secret string to a 3rd party, presumably for malicious reasons. Khaled refused to sell, and did eventually, after nearly a year, receive a Nokia Lumia 800 for his trouble.
The patch took 9 months to deliver by Microsoft, and the Tango update which delivered it itself took many months to roll out.
We can only hope Microsoft will respond faster to future Windows Phone security threats, as there are now many millions more Windows Phone users.
Interested readers can see exactly how to reproduce the magic string at Khaled’s site here, and if you are still on WP7 Pre-Tango, we suggest it may be time to either upgrade your OS or phone.
Thanks to Waseem and JJJ for the tip.