CSS-Based Web Attack Crashes and Restarts an iPhone, Freezes a Mac
A security researcher has found an published a new way to crash and restart any iPhone or freeze any Mac.
Sabri Haddouche tweeted a proof-of-concept web page that demonstrates the attack (visit at your own risk), which is only 15 lines of code. If you visit the site, it will crash and restart an iPhone or iPad. On a Mac, you might see Safari freeze when you open this link.
How to force restart any iOS device with just CSS? ?
IF YOU WANT TO TRY (DON’T BLAME ME IF YOU CLICK) : https://t.co/4Ql8uDYvY3
— Sabri (@pwnsdx) September 15, 2018
The 15 lines of code exploit a bug in WebKit, the rendering engine used in Safari. By nesting a bunch of <div> tags inside a backdrop filter you can quickly use up all the device’s resources and cause a kernel panic. In order to prevent damage, the operating system will restart the device automatically.
The link will not only crash your iPhone if you visit from Safari but since Apple mandates WebKit be used for any app that displays web content, it will even have an effect in the Facebook app or by clicking a link in an email. For those who are curious, you can actually see the code from this GitHub Gist.
Haddouche has contacted Apple about the issue and they told him that they are investigating. However, Apple has not released any official comments about this bug.