A CSS-Based Web Attack Can Restart Your iPhone Or Freeze Your Mac

A researcher discovered a new CSS-based web attack that can make your iPhone restart or respring. Moreover, Mac users may also be affected by the vulnerability.

CSS-Based Web Attack Affecting iOS And MacOS

Security researcher Sabri Haddouche discovered a new CSS-based web attack to crash iOS. According to his findings, simply clicking on a website with a particular 15 line code could trigger respring or restart in case of iOS. Whereas, for Mac users, the code could result in crashing the browser. He shared the Proof-of-Concept in a tweet.

He said to Bleeping Computer,

“The attack uses a weakness in the -webkit-backdrop-filter CSS property. By using nested divs with that property, we can quickly consume all graphic resources and crash or freeze the OS. The attack does not require Javascript to be enabled therefore it also works in Mail. On macOS, the UI freeze. On iOS, the device restart.”

Since all iOS browsers use the WebKit rendering engine, Therefore theoretically iOS browsers, Safari and Mail on MacOS would be vulnerable to this attack too.

Be Careful While Clicking On Any Links

Talking about the severity of the impact of this CSS-based web attack, Haddouche told TechCrunch,

“Anything that renders HTML on iOS is affected.”

It means the users should remain extremely vigilant when clicking any links, as they can instantaneously suffer a system crash. The link with this code may reach you via emails, Facebook, Twitter, or any other web page. Regarding whether your device would restart or respring, depends on the OS version. Haddouche tested his findings on iOS 12 that resulted in a complete reboot due to a “kernel panic”. However, on iOS 11.4.1, he only observed a respring or a UI restart.

This vulnerability primarily targets iOS and Mac users. Windows and Linux users remain safe from this attack. The researcher has already informed Apple of the vulnerability on Friday. So we can expect a fix for this vulnerability soon.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil