A security researcher has found a new way to crash and restart any iPhone by using just a few lines of code. Sabri Haddouche, researcher at encrypted instant messaging app Wire, exposed a proof-of-concept web page containing an exploit that uses only 15 lines of specially crafted CSS & HTML code.
Rather than simply a crash, if the web page is visited can cause a full device kernel panic and an entire system reboot. Those using macOS may also see Safari freeze when opening the link.
The code exploits a weakness in Apple’s web rendering engine WebKit, which is used by all apps and web browsers running on the Apple’s operating system
Since the Webkit issue failed to properly load multiple elements such as “div” tags inside a backdrop filter property in CSS, Haddouche created a web page that uses up all of the device’s resources, causing shut down and restart of the device due to kernel panic.
He has published a video demonstration which shows the iPhone crash attack in action.
The web browsers such as Microsoft Edge, Internet Explorer, and Safari on iOS, as well as Safari and Mail in macOS, are vulnerable to this CSS-based web attack as these browsers use the WebKit rendering engine.
Luckily, Windows and Linux users are not affected by this vulnerability.
However, the attack affects the latest version of both macOS and iOS operating systems. So, Apple users are advised to be cautious while visiting any web page including the code or clicking on links sent over Social media account, or via an email.
Sabri Haddouche has posted the source code of the CSS & HTML web page that causes this attack on his GitHub page. He had also reported the issue to Apple about the Webkit vulnerability and the company is possibly investigating the issue and working on a fix to address it in a future release.