New CSS Based Attack Restarts an iPhone or Freezes a MacOS

A new attack has been discovered that will cause iOS to restart or respring and macOS to freeze simply by visiting a web page that contains certain CSS & HTML. Windows and Linux users are not affected by this bug.

This new attack was discovered by Sabri Haddouche, a security researcher at Wire, who was able to devise a way to quickly use up an Apple device’s resources so that it crashes when visiting a web page.

“The attack uses a weakness in the -webkit-backdrop-filter CSS property,” Haddouche told BleepingComputer. “By using nested divs with that property, we can quickly consume all graphics resources and crash or freeze the OS. The attack does not require Javascript to be enabled therefore it also works in Mail. On macOS, the UI freeze. On iOS, the device restart.”

This attack affects all browsers on iOS, as well as Safari and Mail in macOS because they all use the WebKit rendering engine.

“All browsers on iOS are affected because the underlying rendering engine is WebKit,”  Haddouche explained. “As per App Store rules, it is forbidden to bring your own rendering engine.”

Depending on the version of iOS being used, it could cause a respring, which is a UI restart, or a kernel panic that causes the device to reboot. For example, Haddouche performed his tests on an iOS 12 and the device completely rebooted, but on iOS 11.4.1, it only caused a respring.

For macOS, the attack will only cause Mail and Safari to freeze for a second and then slow down the computer.

Haddouche has told BleepingComputer that he has created an additional attack using HTML, CSS, and JavaScript that will totally freeze macOS computers. He has not released it as it persists after reboot and macOS will relaunch Safari with the malicious page as well, making the computer freeze again.

The attack works by simply by visiting a web page

When a user visits a page hosting this specially crafted CSS & HTML, depending on the iOS version, the device will quickly use up all available resources. On iOS, this will cause either a kernel panic and a reboot or a restarting of the iOS SpringBoard.

For Mac users, this will cause your computer to freeze briefly and slow down, but you can close the Safari tab to stop the attack. It does not brick Mac computers but causes the Safari session to automatically start and freeze the Mac again.

To illustrate this attack, I created a video showing what happens when you visit Haddouche’s attack page on Github with an iPhone running iOS 11.4.1. As you can see, once I visited the page the iOS SpringBoard quickly crashed and restarted.

Video Demonstration

Unfortunately, at this time there is no way to mitigate against this type of attack. Haddouche has told BleepingComputer that other than “not clicking on random links, Apple will have to deploy a fix.”

For those who want to see the CSS & HTML that causes this attack, the researcher has posted it on his GitHub page. Just be careful when clicking on the link as it will quickly crash your iOS or cause problems on your Mac.

Credit: BleepingComputer

CEH Course In pune | Slink

Jai Prajapati

Jai Prajapati is a security analyst and author for Securityleaks, where he passion for covering latest happening in cybersecurity world such as malware, breaches, vulnerabilities, exploits, white-papers, hacking newsbytes, Dark Web, hacking tutorials and a few more.

Leave a Reply

Your email address will not be published. Required fields are marked *