A security researcher has discovered a vulnerability in the WebKit rendering engine used by Safari that crashes and restarts the iOS operating system used by iPhones and iPads.
The vulnerability can be exploited by loading an HTML page that uses specially crafted CSS code. The CSS code isn't very complex and tries to apply a CSS effect known as backdrop-filter to a series of nested page segments (DIVs).
Also: Best Home Security Devices for 2018 CNET
Backdrop-filter is a relative new CSS property and works by blurring or color shifting to the area behind an element. This is a heavy processing task, and some software engineers and web developers have speculated that the rendering of this effect takes a toll on iOS' graphics processing library, eventually leading to a crash of the mobile OS altogether.
Sabri Haddouche, a software engineer and security researcher at encrypted instant messaging app Wire, is the one who discovered the vulnerability, and published proof-of-concept code on Twitter earlier today.
This link will crash your iOS device, while this link will show the source code behind the vulnerability. Haddouche also tweeted a video of the vulnerability crashing his phone:
"The attack uses a weakness in the -webkit-backdrop-filter CSS property, which uses 3D acceleration to process elements behind them," Haddouche told ZDNet in an interview.
"By using nested divs with that property, we can quickly consume all graphic resources and freeze or kernel panic the OS."
Also: Why free VPNs are not a risk worth taking
But Haddouche also says the vulnerability also affects macOS systems and not just iOS.
"With the current attack (CSS/HTML only), it will just freeze Safari for a minute then slow it down," the researcher told ZDNet. "You will be able to close the tab afterward."
Also: 7 tips for SMBs to improve data security TechRepublic
The researcher says he already notified Apple of the issue before publishing the code on Twitter.
"I contacted them using their security product email," Haddouche told ZDNet. "They confirmed they received the issue and are investigating it."
On a side note, as one iOS developer told ZDNet, the vulnerability could be more widespread than previously thought. This is because Apple forces all browsers and HTML-capable apps listed on the App Store to use its WebKit rendering engine, meaning the issue will most likely crash any app that's capable of loading a web page.
These are 2018's biggest hacks, leaks, and data breaches
Previous and related coverage:
What is malware? Everything you need to know
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
Security 101: Here's how to keep your data private, step by step
This simple advice will help to protect you against hackers and government surveillance.
VPN services 2018: The ultimate guide to protecting your data on the internet
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.