The bug is that, if you try to send an audio message using the Messages app to someone who’s also using the Messages app, and that message happens to include the name “Dave and Buster’s”, the message will never be received.
In case you’re wondering, “Dave and Buster’s” is the name of a sports bar and restaurant in the United States.
It’s always an HTML entity! Read all of Rambo’s piece for the full explanation, but essentially, Apple’s BlastDoor security system correctly refuses to pass messages containing malformed XHTML, which can be caused by an unescaped HTML entity within an attribute: the ampersand in “Dave & Buster’s.” Anyone who has coded HTML has stumbled over entities at some point—forgetting to escape an ampersand is a classic mistake. It’s almost reassuring to see that even Apple engineers can miss such edge cases, though it’s ironic that their efforts to transcribe the official brand name correctly are what triggered this failure.
I worked on speech processing technologies (both speech recognition and text-to-speech synthesis) for many years, so this strange anomaly with iMessaging caught my eye. I was quickly able to reproduce it with my iPhone 15P, but I found a curious inconsistency. When I composed an iMessage using voice (IE tap the microphone icon then speak the desired text), iOS transcribed the spoken input using the iOS reco engine and converted it into text. I said “dave and busterzz”, and the resulting text string was “Dave & Buster’s”. I sent the iMessage to another iPhone, and it was received successfully. The unescaped & did not cause any problem.
But if I use the iMessage Audio feature to compose and send an audio message, the anomaly gets triggered. Tap the + button in iMessage compose window, then tap Audio, and say “dave and busterzz”. iOS transcribed this input into the same text string (“Dave & Buster’s”) and sent it together with the audio waveform as a multimedia iMessage. That triggered the anomaly - the message never appeared at the receiving device.
It’s odd that Apple’s BlastDoor analysis – described by Guilherme in his excellent blog post – only captures the potential vulnerability (the unescaped &) in one of these two iMessage use cases.
I wonder how many other trademarked company names containing ampersands are hard-coded in the iOS recognition engine. By trial and error, I found a few that are: AT&T, M&Ms, H&M, Procter & Gamble, Dun & Bradstreet. These are all fairly well-known brand names. Somebody in Cupertino must be fond of Dave & Buster’s sports bars .
Another issue, might be that Dave & Buster’s were spamming via text messages and Apple Security red flagged it. Or bad actors impersonating Dave & Buster’s.
For those unfamiliar, Dave & Buster’s is like a sports bar that includes a gaming arcade. You can drop tokens and play video games or air hockey, etc. but then actually be able to get a half-way decent meal and a beer or cocktail. I visited one in a Providence, RI mall recently. It was not like it used to be. Terrible service, the food wasn’t as good I as I remembered. The place was dirty. Way too many minors running around. It was initially an adult venue. I guess that might be this one location. Everyone has staffing issues lately. Gen-Z has a work ethic problem. Might just be a bad manager. The kids are a result of it being off the food court of a large multi-story mall near downtown Providence. They wrist banded us to indicate we were adults and allowed to order alcohol.
.