[aiur3la]

Serious question: this is the third time a exploit of this kind is publicly revealed for this app. How comes we don't see a global hack outbreak?

I mean, script kiddies would love to break millions of phones. What has stopped them from doing that so far?

[dguido]

The motivation is pretty weak. If people found a way to make money by doing this, it would be massively exploited. But the reward for breaking a bunch of phones is... self satisfaction? ok.

[x1798DE]

I don't know that people were seriously making money on most of the script kiddie shit that was going on on the internet back before ransomware and bitcoin and such (other than AV vendors), and yet it was rampant anyway. I imagine there are still people out there who do this sort of thing "for the lulz".

[dimva]

I'm not so sure. Nowadays they can focus their energies on profitable activities like ransomware or adware. If you're going to break the law to cause grief anyway, why not make some money while you're at it?

[noxToken]

Because extortion is a separate crime.

[userbinator]

It's really just a temporary and pretty easily reverted DoS, so it's more of an annoyance than anything of a serious security exploit.

[pmorici]

Sending texts isn't free. Not many people are going to be willing to pay 5 cents a pop just to piss people off on a large scale.

[canuckintime]

Sending iMessage is 'free'

[h4waii]

You can quite easily purchase unlimited outbound SMS from just about any local carrier in any part of the world for less than $20, either one time or monthly.

It would be very easy to mass message this to an entire country in a matter of weeks.

[feld]

Even the best script kiddie would get bloody fingers trying to type in every possible phone number or iCloud address

There's no API. No real way to automate.

[gcr]

Messages on the mac can be automated with applescript.

    tell application "Messages"
      send "This is an iMessage" to buddy "foo@bar.com" of (service 1 whose service type is iMessage)
      send "This is an SMS" to buddy "+1234567890" of service "SMS"
    end tell

[goda90]

A robotic auto-dialer could fix that. Perhaps an app on a jailbroken phone could inject numbers into the input field?

[throwanem]

It'd be easier to automate the Messages app on an OS X device.

Another concern would be that Apple is likely to deactivate an ID used to send this kind of malicious spam at any sort of scale.

[Fnoord]

> Another concern would be that Apple is likely to deactivate an ID used to send this kind of malicious spam at any sort of scale.

Apple IDs can be easily remade. ProductIDs can be faked on a Hackintosh.

[natch]

The part you missed was: "at any sort of scale."

I'm pretty sure you would encounter ever-increasing levels of countermeasures as you tried more and more tricks at scale.

[natch]

But users will just update to the latest version if a few days, and then the juvenile fun will be over.

[twblalock]

There are a number of ways to automate text messages. That's how a lot of commercial text notifications work.