Sabri
Haddouche tweeted a proof-of-concept webpage with just 15 lines of code which,
if visited, will crash and restart an iPhone or iPad. Those on macOS may also
see Safari freeze when opening the link.
The code
exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates
all apps and browsers use, Haddouche told TechCrunch. He explained that nesting
a ton of elements — such as <div> tags — inside a backdrop filter
property in CSS, you can use up all of the device’s resources and cause a
kernel panic, which shuts down and restarts the operating system to prevent
damage.
“Anything
that renders HTML on iOS is affected,” he said. That means anyone sending you a
link on Facebook or Twitter, or if any webpage you visit includes the code, or
anyone sending you an email, he warned.
TechCrunch said
they tested the exploit running on the most recent mobile software iOS 11.4.1,
and confirm it crashes and restarts the phone. Thomas Reed, director of Mac
& Mobile at security firm Malwarebytes confirmed that the most recent iOS
12 beta also froze when tapping the link.
The lucky
whose devices won’t crash may just see their device restart (or “respring”) the
user interface instead.
For those
curious, you can see how it works without it running the crash-inducing code.
How to force restart any iOS device with just CSS? 💣— Sabri (@pwnsdx) September 15, 2018
Source: https://t.co/Ib6dBDUOhn
IF YOU WANT TO TRY (DON’T BLAME ME IF YOU CLICK) : https://t.co/4Ql8uDYvY3
The good
news is that as annoying as this attack is, it can’t be used to run malicious
code, he said, meaning malware can’t run and data can’t be stolen using this
attack. But there’s no easy way to prevent the attack from working. One tap on
a booby-trapped link sent in a message or opening an HTML email that renders
the code can crash the device instantly.
Haddouche
contacted Apple on Friday about the attack, which is said to be investigating. A
spokesperson did not immediately respond to a request for comment.
Comments