The security researcher Sabri Haddouche from Wire devised a new attack method that saturates Apple device’s resources and causing it crashes or system restarts when visiting a web page. The experts discovered that iOS restart and macOS freezes when the user visits a web page that contains certain CSS & HTML.
Depending on the version of iOS being used, the bug could trigger the UI restart, cause a kernel panic and consequent device reboot.
How to force restart any iOS device with just CSS? 💣
IF YOU WANT TO TRY (DON’T BLAME ME IF YOU CLICK) : https://t.co/4Ql8uDYvY3
— Sabri (@pwnsdx) September 15, 2018
This attack leverages a weakness in the -webkit-backdrop-filter CSS, for this reason, it affects all browsers on iOS that leverage on WebKit as rendering engine is WebKit. The weakness also affects Safari and Mail in macOS, but it doesn’t affect Linux and Windows systems.
Haddouche successfully tested the attack on iOS 12 and caused the device to reboot, on iOS 11.4.1 it only caused a UI restart.
Haddouche explained that on macOS, the attack will only cause Mail and Safari to freeze for a second and then slow down the computer.
Lawrence Abrams from Bleeping Computer created a video showing what happens when a user visits the attack page created by Haddouche (sees the rawgit[.]com) and published on Github. Lawrence used an iPhone running iOS 11.4.1.
The bad news is that there is no mitigation for this attack.
(Security Affairs – iPhone reboot, CSS attack)