2 min read

How to crash and restart an iPhone with a CSS-based web attack

Graham CLULEY

September 17, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
How to crash and restart an iPhone with a CSS-based web attack

A security researcher has revealed a method of crashing and restarting iPhones and iPads, with just a few lines of code that could be added to any webpage.

Sabri Haddouche tweeted a link to webpage containing his 15-line proof-of-concept attack, which exploits a vulnerability in the WebKit web rendering engine used by Apple’s Safari browser.

Haddouche, who for a day job works as part of Wire’s security team, demonstrated that the Safari browser could be easily overloaded by applying a CSS background-filter property to over nested 3,000 <div> tags.

As the WebKit’s rendering engine consumes resources, iOS eventually freezes and devices can crash and restart.

The good news is that the weakness can not be exploited to steal information from iPhone and iPad users. However, it could be used by a mischief-maker or malicious attacker in a “denial-of-service” type of attack, effectively stopping a device from working.

Many users would certainly find it a more than trivial inconvenience to have their smartphones power cycle off, and take a few seconds to restart again (requiring a passcode to be entered).

According to reports, the attack works on a variety of versions of iOS, including the latest iOS 12 beta.

But it’s not just iOS users that are potentially at risk.

For instance, Some have even produced videos which appear to demonstrate that Apple Watches are also vulnerable.

Furthermore, Haddouche told ZDNet that he had found that (although not as dramatic) the weakness could be targeted on the macOS version of Safari:

“With the current attack (CSS/HTML only), it will just freeze Safari for a minute then slow it down. You will be able to close the tab afterward.”

“To make it work on macOS, it requires a modified version containing Javascript. The reason why I did not publish it is that it seems that Safari persists after a forced reboot and the browser is launched again, therefore bricking the user’s session as the malicious page is executed once again.”

And if WebKit itself is vulnerable then it’s likely that there are many apps besides Safari that are at risk if they user WebKit for rendering webpages.

Haddouche has informed Apple about the vulnerability, which is believed to be investigating.

For now, without a patch available, there’s not much that users can do to prevent themselves from becoming the unwitting victims of the attack.

As always, be suspicious of links sent to you in unsolicited emails, and at least feel some consolation that this particular vulnerability is not going to lead to your private data being stolen.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet
Silviu STAHIE

February 08, 2023

2 min read
Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns
Silviu STAHIE

February 06, 2023

1 min read
U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine
Silviu STAHIE

February 03, 2023

1 min read