What just happened? A security researcher finds a WebKit vulnerability that can instantly freeze and reboot any iOS device. The exploit affects all browsers installed on iOS and can even freeze Safari on macOS.
Sabri Haddouche, a security researcher at Wire, has found an vulnerability in Apple's WebKit rendering engine that if exploited, can crash and restart any iOS device.
— Sabri (@pwnsdx) September 15, 2018
To prove it out, Sabri created an experimental webpage with just 15 lines of code. He explained that if you nest elements such as div tags inside of a backdrop filter CSS property, it will end up using all of the device's resources and cause a kernel panic.
Because the vulnerability is with WebKit, that means that any browser on iOS is affected since Apple mandates every third-party browser on iOS use the WebKit rendering engine. The exploit was tested on iOS 11.4.1 as well as the current iOS 12 beta by Malwarebytes and confirmed working on both.
Fortunately, while someone could just simply create a web page with the CSS embedded, the vulnerability is relatively benign. Meaning that hackers can't run malicious code to steal data using this exploit. That said, it's still pretty annoying that someone can simply send you a text or email with the link and instantly crash your iPhone. There's no way to actually avoid it (beyond not clicking on it). Furthermore, macOS users are also affected as it will freeze the Safari browser if the link is clicked.
Sabri has contacted Apple about the vulnerability who is subsequently looking into it. Feel free to try the exploit out at your own risk below. The Github link is also in Sabri's tweet if you want to see how it actually works without crashing your phone.
How to force restart any iOS device with just CSS?
— Sabri (@pwnsdx) September 15, 2018
Source: https://t.co/Ib6dBDUOhn
IF YOU WANT TO TRY (DON’T BLAME ME IF YOU CLICK) : https://t.co/4Ql8uDYvY3
https://www.techspot.com/news/76469-crash-iphone-few-lines-css.html