A new CSS-based web attack will crash and restart your iPhone
Sabri Haddouche tweeted a proof-of-concept webpage with just 15 lines of code which, if visited, will crash and restart an iPhone or iPad. Those on macOS may also see Safari freeze when opening the link. The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use,Haddouche told TechCrunch.
He explained that nesting a ton of elements — such astags — inside a backdrop filter property in CSS, you can use up all of the device’s resources and cause a kernel panic, which shuts down and restarts the operating system to prevent damage. TechCrunch tested the exploit running on the most recent mobile software iOS 11.4.1, and confirm it crashes and restarts the phone. Thomas Reed, director of Mac & Mobile at security firm Malwarebytes confirmed that the most recent iOS 12 beta also froze when tapping the link.
The lucky whose devices won’t crash may just see their device restart (or “respring”) the user interface instead. For those curious, you can see how it workswithout it running the crash-inducing code. The good news is that as annoying as this attack is, it can’t be used to run malicious code, he said, meaning malware can’t run and data can’t be stolen using this attack.
But there’s no easy way to prevent the attack from working. One tap on a booby-trapped link sent in a message or opening an HTML email that renders the code can crash the device instantly.