Crash your iPhone with just a few lines of CSS

David Matthews

Posts: 437   +88
Staff member
What just happened? A security researcher finds a WebKit vulnerability that can instantly freeze and reboot any iOS device. The exploit affects all browsers installed on iOS and can even freeze Safari on macOS.

Sabri Haddouche, a security researcher at Wire, has found an vulnerability in Apple's WebKit rendering engine that if exploited, can crash and restart any iOS device.

To prove it out, Sabri created an experimental webpage with just 15 lines of code. He explained that if you nest elements such as div tags inside of a backdrop filter CSS property, it will end up using all of the device's resources and cause a kernel panic.

Because the vulnerability is with WebKit, that means that any browser on iOS is affected since Apple mandates every third-party browser on iOS use the WebKit rendering engine. The exploit was tested on iOS 11.4.1 as well as the current iOS 12 beta by Malwarebytes and confirmed working on both.

Fortunately, while someone could just simply create a web page with the CSS embedded, the vulnerability is relatively benign. Meaning that hackers can't run malicious code to steal data using this exploit. That said, it's still pretty annoying that someone can simply send you a text or email with the link and instantly crash your iPhone. There's no way to actually avoid it (beyond not clicking on it). Furthermore, macOS users are also affected as it will freeze the Safari browser if the link is clicked.

Sabri has contacted Apple about the vulnerability who is subsequently looking into it. Feel free to try the exploit out at your own risk below. The Github link is also in Sabri's tweet if you want to see how it actually works without crashing your phone.

Permalink to story.

 
Back