Nasty piece of CSS code crashes and restarts iPhones

Security researchers have discovered a vulnerability in the WebKit rendering engine used in Safari. This vulnerability causes the iOS operating system used on iPhone and iPad to crash and restart.

This vulnerability could be exploited by reading HTML pages using specially crafted CSS code. The CSS code is not that complicated, trying to apply the CSS effect backdrop-filter to a series of nested page segments (DIV).

Backdrop-filter is a relatively new CSS property that works by blurring or moving colors in the area behind the element. This is a heavy work and some software engineers and web developers speculate that rendering this effect may affect the iOS graphics processing library and crash the mobile operating system . .

Sabri Haddouche, a software engineer and security researcher for encrypted instant messaging applications, discovered this vulnerability and released a proof of concept code. On Twitter Early today.

This link causes your iOS device to crash, but this link displays the source code of the vulnerability. Haddouche also tweeted video on his phone's vulnerability:

"In this attack weaknesses in CSS's Webkit-Backdrop-Filter property are used that use 3D acceleration to process the underlying elements. ZDNet At an interview

"By using nested divs with this property, you can quickly consume all graphics resources and freeze or delete the operating system kernel.

But Haddouche says that this vulnerability will affect not only iOS, but also the MacOS system.

"In the current attack (CSS / HTML only), freeze Safari for 1 minute and then slow down," the researcher said. ZDNet. "Then you can close the tab."

"For this to work on macOS, we need a modified version that includes Javascript," he added. "What I did not publish is that Safari seems to be continuing even if it is forcibly restarted, the browser is restarted and the malicious page is executed again, so that the user's session It is because it is blocked.

Researchers have said they have informed Apple about the problem before exposing the code to Twitter.

"I contacted you using the security product e-mail," says Haddouche. ZDNet. "They received the problem and confirmed that they were under investigation.

Said Haddouche ZDNet We have discovered this vulnerability by reliably detecting DoS attacks in multiple browsers. Early in the month, Haddouche too …

Hope you like the news Nasty piece of CSS code crashes and restarts iPhones. Stay Tuned For More Updates 🙂

Compsmag