Sabri Haddouche, a security researcher at encrypted instant messaging app Wire, on Saturday tweeted the URL featuring the proof-of-concept (PoC) webpage that crashes iOS devices. The source code of the webpage containing the exploit that uses just 15 lines of specially crafted CSS & HTML code was posted by Haddouche on GitHub as well. This 15-line Web code snippet when visited on any iPhone or iPad, can cause the device to restart. According to Haddouche’s PoC, the attack exploits the weakness in Apple’s web rendering engine WebKit. Further, the code, based on HTML and CSS, contains numerous
tags.
For those unaware, WebKit is the web browser engine used by Safari, Mail, App Store, and many other apps on macOS, iOS, and Linux.
“The attack uses a weakness in the -webkit-backdrop-filter CSS property. By using nested divs with that property, we can quickly consume all graphic resources and crash or freeze the OS. The attack does not require Javascript to be enabled therefore it also works in Mail. On macOS, the UI freeze. On iOS, the device restart”, Haddouche told Bleeping Computer.
Since Apple’s App Store rules doesn’t allow developers to bring their own rendering engine, all apps and browsers are required to use its WebKit. As a result, the code works on almost all the Apple devices making all iOS browsers susceptible to the attack.
On the other hand, the CSS/HTML attack in macOS only slows down the browser but adding JavaScript into the equation can brick the macOS.
“With the current attack (CSS/HTML only), it will just freeze Safari for a minute then slow it down,” Haddouche revealed.
“You will be able to close the tab afterward. To make it work on macOS, it requires a modified version containing JavaScript. The reason why I did not publish it is that it seems that Safari persists after a forced reboot and the browser is launched again, therefore bricking the user’s session as the malicious page is executed once again”, he added.
However, Haddouche notes the bug cannot be used to run any malicious software or to perform attacks that could steal a user’s data. But, if someone shares a link to a particular webpage disguised as some other URL and you click it, your iPhone will restart. This can be annoying for sure but with no major consequences.
The researcher claims he advised Apple about the issue before publishing the code on social media. Apple has confirmed it is aware of the glitch and they are investigating it.
Check out the video demonstration published by the researcher that shows the iPhone crash attack in action.