A new CSS attack method could freeze iPhones and restart MacOS systems
- This attack affects all browsers on iOS, including Safari, and Mail in macOS.
- Apple device users are recommended not to click on random links to stay safe from the attack.
A new attack method that could crash or restart Apple devices by merely visiting a web page, a security expert has discovered. This attack leverages a weakness in iOS’ web rendering WebKit - an open source web browser engine approved by Apple.
Security researcher Sabri Haddouche, who developed the new attack technique, discovered that the attack can also cause Safari and Mail on macOS to freeze when visiting the web page. The web page used for the attack contains 15 lines of codes with certain Cross-Site Scripting (CSS) and HTML.
How the attack works
The attack affects all browsers on iOS, including Safari, and Mail in macOS. However, Windows and Linux users are not affected by this bug.
"All browsers on iOS are affected because the underlying rendering engine is WebKit. As per App Store rules, it is forbidden to bring your own rendering engine," Haddouche added, BleepingComputer reported.
The experiment was performed successfully on iOS 12. By executing the code, the device rebooted completely. However, when the same code was used on iOS 11.4.1, it only caused the device to restart.
The proof-of-concept of the attack has been published on GitHub by Lawrence Abrams from BleepingComputer.
In order to stay safe, Haddouche has currently suggested Apple device users not to click on any random link. Meanwhile, Apple is investigating the matter.