Typing “old” (space) into iOS Safari crashes the app
twitter.comFor those not reproducing: your device may have to reside CONUS for some of "tar"(-get), "bes"(-tbuy), "wal"(-mart), "wel"(-ls fargo), "old"(-navy?), "sta"(-rbucks), "pla"(-net fitness?) to work. Try local brands, e.g., "Harrods", "Tesco", "Picard", etc. For my country "Gusto", a casual dining franchise, reproduces the issue. List is from [1].
Edit: stopped reproducing here as of 19:11 UTC.
Edit: some people digged into it[2][3], [2] includes partial endpoint URLs. Apparently this was happening for 7+^H^H 10+ hour.
1: https://www.macrumors.com/2022/11/14/safari-search-crash-bug...
> your device may have to reside CONUS for some of "tar"(-get), "bes"(-tbuy),
I have no idea what this means
These initialisms, abbreviations and acronyms are getting out of hand.
These are the people who in real life say “Jan” instead of “January.”
At least that can usually be understood from context. Acronyms and initialisms usually cannot unless you already know them.
Sounds like most conversations I had with cybersecurity people until I learned about NIST 800s, FIPS, CNSS, STIGs, etc.
This wouldn't make me blink.. Jan, Feb.. but if someone just said Mar for March I'd blink twice.
How about Thu for Thursday?
Apr for April :P
And Jun for June?
I literally just had a PM tell me "we will talk about that 'tom'". It left me confused for a few seconds. Is it really that hard to use a couple more syllables?
Prime Minister of what country?
Kinda reminding me of when you're autocompleting commands in a shell prompt.
“My name is not Tom”
"Who tf is Tom?"
Apache Tomcat, a casual acquaintance of the local tomboy.
And K instead of OK
And “OK” instead of “I understand, thank you.”
Still, “k” is infinitely better than a thumbs up.
Hmm, how so? A thumbs up is more bytes, and thus more poignant.
No, I'm talking specifically about case of reducing two letters to one.
OK is oll korrect
okay
typical hacker news bullshit.
people forget that many acronyms are context sensitive and/or audience sensitive. they just assume everyone across the world has the same shared life experience that they do.
Specifically the use of military jargon to describe consumer software
Many small time make big time
"CONUS" is short for "CONtinental United States"
Where is this term popular? I have never, ever heard this term before.
It's a US military term; I've never heard it outside of a military context, but it's super common within a military context.
It shows up a lot outside of military contexts when flat rate shipping is involved - it's usually CONUS-only.
For me(GP) it was this. Some of desk toys and electronics I'd considered were like that.
It is used in satellite communications as well to describe those beams that cover the continental US.
It’s popular with people who work for the USG. United States Government.
Sounds like it could be a USAF term
Wait, now we have another initialism :P
United States Air Force, where initialisms enjoy a great deal of popularity
US domestic shipping?
It stands for Contiguous or Coterminous United States
Is Alaska considered continental in this jargon ?
No. CONUS stands for Contiguous or Coterminous United States. Alaska is outside CONUS or OCONUS.
Thank you
CONUS (can't help but giggle) supposedly stands for Continental United States, as I learnt from a sibling comment here. First time I'm hearing that acronym.
Target is a supermarket chain in USA. I assume Bestbuy is also something like that.
In my browser (Firefox on Android) if I type "tar" it auto-suggests completing the url to "target.com". Useless to me because I'm nowhere close to USA and there's no Target in my country.
Speaking of which, maybe they should have a separate list of autocompletable sites based on the user's location. However, I'm not sure of the privacy implications of that.
Continental US, I guess? Not sure why “continental” matters.
Excludes Hawaii, and Alaska (+ all other non state islands/territories)
Continental includes Alaska, as it's on the same continent, but contiguous does not.
Good thing this acronym distingui- oh.
So that would be CONUS instead of CONUS?
Never heard L48 though. Yet.
i think they meant they're not sure why that would make a difference
So you’re saying the bug doesn’t happen for Hawaiian iPhone users somehow?
Me either, but guessing: Contiguous United States
Most interesting comment on cone snails that I ever heard. Couldn't parse it either. Others said it means continental United States.
Would be quite the story if shitty adware causes crashes.
It’s “Continental United States”.
Does not crash for me. (US, using “old “.) Safari suggestions on. IOS 15.7 (19H12).
Installing 15.7.1 now to check that version (and because I might as well install it anyway...) Edit: doesn’t crash on 15.7.1 either (though my first test on 15.7.1 was at 17:28 UTC.)
Hm, I am on CONUS and I’ve visited bestbuy.com a lot recently. The bug is not happening to me. Probably because I’m on iOS 15.6 and the bug happens starting with iOS 15.7, according to your Macrumors reference.
Probably I should upgrade even more slowly in the future…
I like the many possibilities here of
1. apple shipped a feature for walmart causing their browser to crash
2. apple shipped walmart code in their browser which crashed
3. apple shipped walmart plugin in their browser and then apple made a breaking change which crashed
3rd one is my favorite because it's the most dysfunctional
The reality will be more like Safari suggestions API sending malformed response for some scenarios, crashing the app.
And none of those would explain why Gusto crashes for the person you replied to
They really, really don't want you using old.reddit.com
Doesn't reproduce for me btw. I also have the setting disabled that adds a period when typing a space twice, if that matters.
Cease your investigations into this conspiracy theory immediately. We must not anger the new reddit designers
They have designers?
I use my phone as little as possible, I just realized the only 2 things I type into my mobile browser (currently safari) on a regular basis are new(s.ycombinator.com) and old(.reddit.com). Never put that together before, it's been like a decade.
I wasn't able to reproduce the bug.
Try Narwhal for Reddit on iOS. It’s a very good experience.
Yeah I was trying and all I was getting suggested is old.reddit.com
Unfortunately, connecting MacOS Safari debugging crashes the debugger when the iOS Safari crashes as far as I can tell.
That's just the old
Dammit, that's just the old
From my reading of the update log, it looks like the last change was from Candlej
“Best “ does it for me. 16.1.1
Turning off “Safari Suggestions” in settings fixes it.
Funny, with Google you typically want to add "-best" to your searches to cut down on SEO spam.
Interesting, I had never heard of this tip before. How do you do this though? Do you just add it at the end like a flag? (e.g. "sparking water -best" ?) In general, I thought these kinds of search engine commands were being phased out, but it looks to me like it would filter out those garbage articles that would bring up results like "top/best 15 brands of sparkling water" etc.
That still works on Google. You can put it anywhere in the query. The "-" is a negation operator that tells the engine to exclude results containing the following word.
They've actually apparently introduced a few new operators since the old days, which I found surprising. For example, $ for prices, # for hashtags, and .. for ranges of numbers. https://support.google.com/websearch/answer/2466433?hl=en
I often do the opposite: "best [search query, usually a product] in the world".
You'll likely get the opposite
I can only get to bes before it crashes, turning off safari suggestions fixed it. I think it’s maps/shopping related, old navy and Best Buy were the suggestions.
None of the strings crashed my safari, I'm on whatever the newest version of iOS is, just updated it yesterday.
edit: Also, I'm on the iPhone 11 or 12 I think? So maybe model has something to do with it?
It seems to be tied to "Safari Suggestions", so if you have that turned off you won't see the crash.
Not for me, I actually turned that off just now, I didn't know it was "on". Maybe a hacker who resides on my iPhone fixed the bug for me?
Also, I'm on the iPhone 11 or 12 I think? So maybe model has something to do with it?
> Maybe a hacker who resides on my iPhone fixed the bug for me
Wholesome hacking
If you "hacked" a system, I would assume the first thing you'd do is patch any of your own known exploits, and others, so you don't lose ownership to some other hacker, right?
If you ever consider a career change, the parasitology field could advance from your intuitions.
I'm on 16.1.1 with Safari Suggestions turned on. No crashes here. iPhone 12 Pro.
Wild! Mine crashed the first try, turned off Safari Suggestions, crash behavior gone.
Turned it back on... still no crash. Search engine makes no difference.
Wonder if it's a cache thing and disabling Suggestions cleared that, removing whatever bad data was hanging around, or if it was a purely server-side bug and they've already fixed it.
[EDIT] Some others saying it stopped happening, so may have been fixed.
Same here, impossible to make it crash, and yes suggestions are on. (Although I must say I never get any suggestions for some reason)
I had a bunch of open tabs in Safari, and typing "old" (space) not only crashed Safari but got rid of almost all of the open tabs. It was all stuff I needed to refer back to, and yeah that's not a great way to manage stuff like that. Of course bookmarks would be the right way. But now it's gone.
So be careful.
That's actually an interesting datapoint, it means Safari is crashing so hard it flushes the tab storage; normally "killing" (especially a background kill) Safari won't do that.
"Turning off “Safari Suggestions” in settings fixes it." I should have turned that off before. It certainly stopped this one weird crash.
I turn off search suggestions, auto-complete, auto-correct, intellisense and its ilk, everywhere I can.
I like the autocomplete from my bookmarks and history. What's mind boggling is how slow it is (on Firefox on a beefy PC + SSD + Windows)
It crashes for me without even typing the space at the end. Works for best too.
Imagine having a domain or business name starting with "old" - nightmare scenario!
Old Spice, Old Navy...
According to the top commentator that's exactly why it's happening
how is it a "nightmare scenario"? it's not ideal, but it doesn't sound bad (there are other browsers, workarounds, etc. it's not like these sites are forever gone because of a ransomware or SSL key exploit, etc)
I can't imagine "Old Navy" customer support is going to have much success telling iOS customers to install another browser (I'm not even sure that solves it).
My guess is a lot of the crashes come from old.reddit.com
Is old.reddit.com very unstable for everyone else in safari or just me? On my past 3 iphones through multiple iOS versions I can't browse for more than 10 minutes without eventually hanging/crashing safari. It seems to happen most frequently after browsing posts with images
New Reddit it like that. Page randomly resets no matter what you’re doing. Dumps you back at the top and asks if you want to install the app.
They are desperate about getting you to download their app.
To the point where it feels like they have pretty obviously intentionally gimped the mobile website to drive you to the app - which just makes me way less likely to install it. Page loads take absolutely forever, videos almost never work first try, their image galleries are essentially unusable... None of these are issues on desktop web (on the same network).
New reddit is just harmful to your laptop battery. It fulls one cpu core all the time if you don't block the update websocket. Truly the worst written react app I ever saw.
I installed an app. A 3rd party app. To occasionally obtain useful info from that site whose designers are hostile.
I haven’t had any trouble with it.
Can someone contribute more than "lol, me too!" and figure out which API endpoint it's hitting, what it's returning and guess why it's crashing? I don't have an iOS device otherwise I'd do it...
It’s their own “Safari suggestions” service. I don’t know if that’s device local or some Apple API which changed but disabling it prevents the crashes.
I wonder if "Safari Suggestions" is crossing a privacy line with its API it shouldn't and iOS nukes the app from orbit.
I doubt that since it’s their own code but I’d easily believe that it hits an API endpoint which just started malfunctioning. The description is vague but it appears to retrieve a bunch of different kinds of information from some Apple service. Clearly a massive test coverage miss if my speculation is right.
I think he is joking.
It's partially a joke, but as anyone who has worked with a complex system, things like this can happen. A privacy control is changed somewhere, but not activated until later, and suddenly one day something stops working.
I wasn’t sure about that and it’s certainly not without precedent that different parts of the same company might do something like that.
Someone from Apple can probably attach a debugger and figure out the problem, but most of us are going to be in the dark.
set up a proxy, install its certificate and mitm it? Might work at least...
In my case I don't even need to type the space - the moment I press "d" it crashes.
Same for me. Doesn't happen in Firefox which is strange because I thought all browsers used the same Safari engine...
Firefox on iOS uses webview for page rendering, but the url suggestions (which seem to be the cause of the crash) are separate and are handled by firefox's code.
“best “
“bedt “
“old “
“wel “
“dta “
All of these crash safari in iOS for me.
What’s strange about this bug is that it happened overnight for multiple iOS version.
It seems to be a server bug that happens with the requests that populate the suggestions.
Turning off safari suggestions fixes it.
Concur, smells strongly of a server-side change, that it's hitting multiple versions all the sudden. Which might mean it's also relatively quick/easy fix?
> smells strongly of a server-side change
Doesn't need to be. Some software nowadays can toggle feature flags clientside behind your back. I know Firefox does (or did?) this. Creepy as all fuck.
> quick/easy fix
Wait, you don't want them to fix the client crashing on malformed data?
It's not universal, my iPhone 14 pro with 16.1 does not crash for any letters I can type, spaces or not. Suggestions work fine for me. Clearly there is another factor not obvious causing the crash. In any case Apple would see a whole influx of crash reports (assuming they are as anal about them as I used to be).
I wonder if a crash log gets generated - Settings -> Privacy -> Analytics & Improvements -> Analytics Data will have it if so. Unfortunately, I can't reproduce the issue on my phone (iOS 16.1, Canada)
Turning off Safari Suggestions is one of the first and most important privacy tweaks on a new iPhone. Otherwise every keystroke you type in the address bar gets sent to Apple in realtime.
> most important
Really? No - there is no privacy threat surface with suggestions, unless you assume that Apple and everyone who works there is lying about it?
ref: "any information sent to Apple does not identify you, and is associated with a 15-minute random, rotating device-generated identifier"
[0]https://www.apple.com/legal/privacy/data/en/siri-suggestions...
Apple also said:
“We do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order.”
Either Snowden is lying, or Apple is.
There are lots of potential explanations here. It’s possible and even likely that in an org as large as Apple, the people writing press copy simply are not exposed to all of the details of all of the moving parts that enable realtime surveillance of their userbase. They can also use a different definition of “direct access” (while providing realtime unsupervised access via API, but not via physical (“direct”) entry to a datacenter building).
Apple also claims (in HT202303) that iMessage is end to end encrypted, when for the vast majority of the userbase of iMessage, Apple has copies (readable to Apple) of the endpoint private keys and can, if they wish, decrypt and read and store anyone’s iMessages in realtime as if they were not encrypted at all. It’s still “end to end encrypted” if there is a key escrow backdoor in the system that defeats the end to end encryption. It’s like putting a $5 gym lock on a cardboard box. It’s not lying to say that you locked it up.
You can make factually accurate statements about certain specific things that paint a picture or strongly imply a state of affairs that is diametrically opposed to the truth. Apple is, as far as I can tell, the best in the world at this type of misdirection. It even fools professional journalists.
For example: if they log the client IP of all requests to the API, the statement you quoted holds true - and yet it is still trivial to make a single query to a) relate all of your API requests together, and b) relate them to your identity via Apple’s many other APIs. The “rotating” implies that it is unlinked, but does not guarantee that it is unlinkable (eg from having client IP and timestamp columns in the data).
Apple is skilled at lying by saying only very specific, true things, as confusing as that may sound.
It is also a mistake to assume there is no importance because there is no threat model. Even if the data is never linked to you, it is a privacy violation for the keystrokes to leave your device if you don’t want them to. For a contrived example, you don’t need a threat model or ID linkage to not want your neck-down nudes leaked. A non-identifiable privacy violation is still a privacy violation.
> "is associated with a 15-minute random, rotating device-generated identifier"
Can someone clarify why that's done or how it could even be useful? It just seems (to me, naïvely) like if you're going to rotate the identifier every fifteen minutes, why even bother?
> Apple and everyone who works there is lying about it?
Perhaps we should ask people that bought iTruth for $299. But seriously, you are way too trusting of corporations and their public statements.
Reminds me of the bug where certain strings would crash apple products.
You thought only a bug inside your app could crash it?
Now your browser can crash because of a bug on a server, somewhere, which you weren't planning on browsing to, let alone even knew existed.
The future truly is here.
"A distributed system is one in which the failure of a computer you didn't even know existed can render your own computer unusable."
-- Leslie Lamport
It’s still a bug in the app.
“Fail gracefully” for malformed responses. If a JSON API all of a sudden starts returning a cloudflare html error response, you shouldn’t crash your iPhone app.
No, doesn’t crash for me.
In a blank address bar, not just anywhere. Crashed mine, sure enough, first try. I'm on 16.1 (haven't updated to 16.1.1 yet).
I try to avoid updating my iPhone for as long as humanly possible. I find updates generally bring bugs, features I don’t want, apps I don’t want, and sometimes taking away things I like.
This is the important point I think. Version of Safari is tied to version of OS.
I don't think 16.1.1 is unaffected. I'm on iOS 16.1.1 and can reproduce it. Blank address bar -> "old " -> crash. The second time I didn't need the space, as others have also reported.
It does for me. It's probably a tuple of (Safari, iOS, iPhone) version specific, for a couple of versions of each.
Which search engine are you using?
Looks like I have DDG configured as my default.
Has anybody reproduced this in… Firefox (on iOS of course)?
Asking for a friend who has Safari search suggestions disabled (so Safari does not crash) but encounters Firefox crashes regularly.
just got beta 2 installed and it did infact crash in safari
For me too, also with current public beta.
For goodness sake Apple - this takes the cake for weirdest bug since the early Windows 10 Preview build which caused random letters to be missing from text...
Can confirm. For me a reboot, administered immediately after 3 consecutive crashes a few hours ago, seemed to fix the issue.
Haven't updated to 16.1.1 and no issues.
in my phone nothing happens with "old ", but reproduced with okd
doesn't crash in private mode
My guess is that it depends on your browser history (and maybe other factors that influence what autocorrect or autocomplete wants to propose).
Huh, not replicable for me, in 16.1, on iPhone 13 Mini on EN-US. Was this added in 16.1.1?
I’m running the public beta of iOS 16.2; typing “old” in the address/search bar crashes Safari.
Crashes for me with "old" on iOS 16.0 with an iPhone 11
No it doesn’t. Better repro steps needed.
Edit: best guess so far: something regional or language dependent? Looks like US-specific search suggestions?
My non-crashing circumstances:
(iPhone11, iOS 15.6.1, Swedish language, in Sweden)
People are suggesting that it seems to come from Google suggestions, try first letters for local equivalents of Old Navy, Starbucks, Walmart, etc.
I have DDG as my search engine.
Crashes on my phone running 16.1.1.
People are suggesting it might be en-US only.
I use DDG as my search engine on 16.1.1, and live in Florida (the English speaking part), but I couldn't reproduce it.
Must be something else more complicated.
Crashed for me (iPhone 14, iOS 16.0.3)
are you trolling? type it into the search bar and it does crash
It’s not enough to do that. There is something more specific required: a specific version of iOS, a specific language, a particular phone, some setting, something in the search/url history etc.
But it clearly doesn’t reproduce across all devices/versions/settings with iOS Safari. Better repro steps needed.
The repro steps are accurate and sufficient on their own -- following the described steps does crash Safari for the reporting user (and many of us). What is missing is the complete device configuration which is distinct from steps (and would probably be overwhelming, in any case).
Tbf the “steps” in the tweet didn’t even specify where in Safari to enter the text (text area, search bar, anywhere). So even absent the relevant config I’d say it’s a pretty lacking bug report in the steps too.
You're right, that would have been useful.
* edit crazy typo
Doesn’t happen for me
They're not trolling. I typed it into the search bar. Safari didn't crash.
Is the person who wrote the tweet trolling? Probably not either.
But what type of iOS device do they have? Which version of iOS are they running? Which language and locale?
Those things matter. Other things that apparently shouldn't matter might matter as well: other apps installed or running, notification configuration, how many tabs they have open, whether they're connected via WiFi or 4G, etc.
We don't know any of that stuff. As GP said: better reproduction steps needed.
As it is this bug report is barely above the kind of "hurr durr it dern't work" support ticket that really pisses off everyone in my team, and indeed every support engineer, and software engineer I've ever worked with.
1) It's a tweet, not a bug report.
2) The very first thing any actual engineer on Apple's payroll ought to try to reproduce it will work (most recent official iOS, "happy path" settings that have Safari Suggestions turned on)
1) Yes, people use tweets to report bugs all the time. The problem with nitpicking is that anyone can pick your nits back, which leads me to...
2) Yes, they will, but that won't necessarily repro the bug without knowing which type of device it's running on, so at the very least they might need to check several different devices, and even then other factors can come into play that go beyond basic device configuration.
I'm sure, given that this appears to affect at least a significant minority of users, that Apple will be all over it and will find a way to repro it in relatively short order. Yet, at the same time, it's obscure enough to have escaped their no doubt reasonably robust QA processes before release, so it may well be there are some wrinkles to reproduction that aren't immediately apparent.
> 1) Yes, people use tweets to report bugs all the time. The problem with nitpicking is that anyone can pick your nits back, which leads me to...
People might. This one didn't even @ Apple. Jesus, HN (a sentiment the Tweet author has also expressed by now on the tweet thread, as they're apparently reading this and seeing y'all acting like this in public)
> 2) Yes, they will, but that won't necessarily repro the bug without knowing which type of device it's running on, so at the very least they might need to check several different devices, and even then other factors can come into play that go beyond basic device configuration.
Twitter figured this out in like 30 minutes. It's Safari Suggestions on any recent iOS. This may not be the platonic ideal of a bug report but it's not a bug report and also it happens, by chance, to be entirely fine even if it were, because this is super-easy to figure out.
> Twitter figured this out in like 30 minutes. It's Safari Suggestions on any recent iOS.
no, it really didn’t.
i’m on 16.1.1 with suggestions on and it does not crash.
> It's Safari Suggestions on any recent iOS.
... and what more? in US? On en-US language? Because it doesn't seem to be that universal.
"support ticket that really pisses off everyone in my team, and indeed every support engineer, and software engineer I've ever worked with"
I'm sorry to to be the one to break this to you -- you have only worked with bad engineers.
If you get a bug report like this, where some simple user action like typing three characters is causing client devices to crash, you better be more mad at your busted ass system than a sparse bug report.
I think the suggestion that “X crashes Safari for at least one user” vs “X crashes Safari for all users” is a pretty different severity so the relevance of this story hinges on if it’s some minority of users or a large majority, or even all users.
I don’t think it’s unreasonable to try to narrow it down here simply because the story sort of hinges on the magnitude here.
It's not the user's job to figure out that it only happens in Florida on Tuesdays. They may not even be able to change all the relevant variables.
Apple developers should look at the stack trace that should either be sent automatically when it crashes (if privacy settings allow), or with a problem report sent from the device.
If this is a widespread issue, devs should have already gotten an automated alert.
iPhone 14, iOS 16.0.3 English, US, No Tabs, Wifi
Launch Safari
Tap address bar
Type "old"
Yes! See, this is what we need more of!
Surely there's an automated battery of configurations that devs can test against if they really want to fix the bug?
iPhone 8, iOS 16.1 (20B82) English, US, No Tabs, Wifi
Launch Safari
Tap address bar
Type "old "
Boom!
Now we're talking!
Crashes on mine, don’t put the quotes…