This new CSS-based web attack can crash and restart iPhones or iPads and can cause a Mac computer to freeze
A security researcher has discovered a new iOS web attack that can cause an iPhone or iPad to restart and a Mac to freeze, if the device visits a webpage with specific CSS & HTML. However, this bug doesn’t affect users using Windows and Linux.
Sabri Haddouche, a security researcher at encrypted instant messaging app Wire, on Saturday tweeted the URL featuring the proof-of-concept (PoC) webpage that crashes iOS devices. The source code of the webpage containing the exploit that uses just 15 lines of specially crafted CSS & HTML code was posted by Haddouche on GitHub as well. This 15-line Web code snippet when visited on any iPhone or iPad, can cause the device to restart.
According to Haddouche’s PoC, the attack exploits the weakness in Apple’s web rendering engine WebKit. Further, the code, based on HTML and CSS, contains numerous <div> tags.
For those unaware, WebKit is the web browser engine used by Safari, Mail, App Store, and many other apps on macOS, iOS, and Linux.
Since Apple’s App Store rules doesn’t allow developers to bring their own rendering engine, all apps and browsers are required to use its WebKit. As a result, the code works on almost all the Apple devices making all iOS browsers susceptible to the attack.
“With the current attack (CSS/HTML only), it will just freeze Safari for a minute then slow it down,” Haddouche revealed.
However, Haddouche notes the bug cannot be used to run any malicious software or to perform attacks that could steal a user’s data. But, if someone shares a link to a particular webpage disguised as some other URL and you click it, your iPhone will restart. This can be annoying for sure but with no major consequences.
The researcher claims he advised Apple about the issue before publishing the code on social media. Apple has confirmed it is aware of the glitch and they are investigating it.
Check out the video demonstration published by the researcher that shows the iPhone crash attack in action.