A new CSS-based web attack will crash and restart your iPhone

A security researcher has found a new way to crash and restart any iPhone — with just a few lines of code.

Sabri Haddouche tweeted a proof-of-concept webpage with just 15 lines of code which, if visited, will crash and restart an iPhone or iPad. Those on macOS may also see Safari freeze when opening the link.

The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use, Haddouche told TechCrunch. He explained that nesting a ton of elements — such assuch as < div > tags — inside a backdrop filter property in CSS, you can use up all of the device’s resources and cause a kernel panic, which shuts down and restarts the operating system to prevent damage.

“Anything that renders HTML on iOS is affected,” he said. That means anyone sending you a link on Facebook or Twitter, or if any webpage you visit includes the code, or anyone sending you an email, he warned.

TechCrunch tested the exploit running on the most recent mobile software iOS 11.4.1, and confirm it crashes and restarts the phone. Thomas Reed, director of Mac & Mobile at security firm Malwarebytes confirmed that the most recent iOS 12 beta also froze when tapping the link.

The good news is that as annoying as this attack is, it can’t be used to run malicious code, he said, meaning malware can’t run and data can’t be stolen using this attack. But there’s no easy way to prevent the attack from working. One tap on a booby-trapped link sent in a message or opening an HTML email that renders the code can crash the device instantly.

Haddouche contacted Apple on Friday about the attack, which is said to be investigating. A spokesperson did not immediately respond to a request for comment.

You can see the source code of the bug here; it’s only a few lines of HTML and CSS. You can open the ‘safari-ripper.html’ link on that page if you want to try it out yourself — but the usual disclaimers and warnings apply.

Advertisements