Nasty piece of CSS code crashes and restarts iPhones

Vulnerability most likely affects any iOS and macOS app that uses the WebKit rendering engine to display web pages. Apple is investigating.
Written by Catalin Cimpanu, Contributor

A security researcher has discovered a vulnerability in the WebKit rendering engine used by Safari that crashes and restarts the iOS operating system used by iPhones and iPads.

The vulnerability can be exploited by loading an HTML page that uses specially crafted CSS code. The CSS code isn't very complex and tries to apply a CSS effect known as backdrop-filter to a series of nested page segments (DIVs).

Also: Best Home Security Devices for 2018 CNET

Backdrop-filter is a relative new CSS property and works by blurring or color shifting to the area behind an element. This is a heavy processing task, and some software engineers and web developers have speculated that the rendering of this effect takes a toll on iOS' graphics processing library, eventually leading to a crash of the mobile OS altogether.

Sabri Haddouche, a software engineer and security researcher at encrypted instant messaging app Wire, is the one who discovered the vulnerability, and published proof-of-concept code on Twitter earlier today.

This link will crash your iOS device, while this link will show the source code behind the vulnerability. Haddouche also tweeted a video of the vulnerability crashing his phone:

"The attack uses a weakness in the -webkit-backdrop-filter CSS property, which uses 3D acceleration to process elements behind them," Haddouche told ZDNet in an interview.

"By using nested divs with that property, we can quickly consume all graphic resources and freeze or kernel panic the OS."

Also: Why free VPNs are not a risk worth taking

But Haddouche also says the vulnerability also affects macOS systems and not just iOS.

"With the current attack (CSS/HTML only), it will just freeze Safari for a minute then slow it down," the researcher told ZDNet. "You will be able to close the tab afterward."

"To make it work on macOS, it requires a modified version containing Javascript," he added. "The reason why I did not publish it is that it seems that Safari persists after a forced reboot and the browser is launched again, therefore bricking the user's session as the malicious page is executed once again."

Also: 7 tips for SMBs to improve data security TechRepublic

The researcher says he already notified Apple of the issue before publishing the code on Twitter.

"I contacted them using their security product email," Haddouche told ZDNet. "They confirmed they received the issue and are investigating it."

Haddouche told ZDNet he discovered the vulnerability while researching reliable denial of service (DoS) bugs on multiple browsers. At the start of the month, Haddouche also published another exploit that crashed Chrome and Chrome OS with one line of JavaScript.

On a side note, as one iOS developer told ZDNet, the vulnerability could be more widespread than previously thought. This is because Apple forces all browsers and HTML-capable apps listed on the App Store to use its WebKit rendering engine, meaning the issue will most likely crash any app that's capable of loading a web page.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Editorial standards