CSS Attack Causes iOS, macOS Devices to Crash

A newly-revealed proof-of-concept attack can cause iOS devices to crash or restart with a mere 15 lines of code, a researcher disclosed over the weekend.

On Saturday, researcher Sabri Haddouche, a security researcher at Wire, tweeted the source code of the proof-of-concept (PoC) attack that he said restarts iOS devices – such as the iPhone or iPad – with just a few lines of specially crafted Cascading Style Sheets (CSS) and HTML code.

How to force restart any iOS device with just CSS? 💣

Haddouche, who came across the attack after looking at DoS attacks on browsers last week, said that users who open a specially formatted link from any iOS-based browser, or using Safari on macOS, are privy to the attack.

He told Threatpost that he has notified Apple and the tech giant is investigating the issue. Apple did not respond to a request for comment.

The attack stems from a glitch in WebKit, an HTML layout browser engine in Apple’s Safari browser. The web browser engine is used by a number of apps including Apple’s own Mail app, the official App Store and other apps that use the underlying browser code on macOS, iOS and some versions of Linux.

While WebKit serves to process and render lines of HTML and CSS, there are certain elements that it cannot process, including one called <div> used specifically in Haddouche’s attack.

Haddouche essentially nested these incompatible elements in the backdrop filter CSS property, which is a line of code that lets users apply graphical effects such as blurring or color shifting to the area behind an element.

Once the PoC nested these elements into the backdrop filter code, the WebKit engine could not process it, causing it to use up all the resources in the device and trigger a kernel panic.

The code needs to first be sent to and opened by a victim for it to work. That means that an attacker could incorporate it into an HTML email and send it to a victim, whose iOS device would then crash when they open the link.

The proof of concept source code “can be embedded into any website, any email, QR code, even captive portals (when you connect to free Wi-Fi) [and] instantly crashes your device,” he told Threatpost.