A new vulnerability has been discovered in WebKit, the underlying engine that powers Safari on iPhone, iPad and macOS. A webpage with 15 lines of code in CSS can cause a kernel panic on an iPhone or iPad and force it to restart. Such a webpage can also cause Safari on Mac to crash, however, it will not restart macOS.
Details of the security flaw and its source code were shared by Sabri (@pwnsdx on Twitter), who is a security researcher. The issue does not impact just Safari, but it effects all default and third-party apps on iOS that use WebKit, as its HTML rendering engine. Since Apple does not allow other rendering engines, this potentially impacts all apps that render HTML on iOS, like Facebook or Twitter.
You can see the ‘Safari DOS’ code on GitHub. The code basically nests a lot of elements, <divs> in this case, inside a backdrop-filter property in CSS, forces WebKit to use up all system resources and crash the browser, app or operating system.
How to force restart any iOS device with just CSS? 💣
IF YOU WANT TO TRY (DON’T BLAME ME IF YOU CLICK) : https://t.co/4Ql8uDYvY3
— Sabri (@pwnsdx) September 15, 2018
The issue has been confirmed to impact iOS 11 and iOS 12. Some brave users even tested this on Apple Watch Series 3, which can now render webpages with watchOS 5 , and the vulnerability works there too.
Also looks like watchOS 5 is susceptible. pic.twitter.com/Mam8uTyuye
— Robert Petersen (@Sonikku_a2) September 15, 2018
If somehow, you still use Internet Explorer, you might want to stay away from such webpages as well. All versions of Internet Explorer are effected by this bit of code. Even though Internet Explorer does not use WebKit, the crash is related to the use of elements nesting as backdrop filter, which is not supported by any of these browsers.
Oops! Collateral damage…. all versions of IE crash 😂
Definitely due to elements nesting as backdrop filter is not supported by this browser. pic.twitter.com/yjtT8QxkA2
— Sabri (@pwnsdx) September 16, 2018
Since many apps, like iMessage, preview webpages when a link is shared, a kernel panic can be caused without even opening the URL. Sabri has contacted Apple and notified them about the vulnerability so it is expected that they will roll-out a fix in an upcoming iOS 12.0.1 or so release. A similar update for watchOS and macOS is also expected to fix this WebKit issue.