A new CSS attack method could freeze iPhones and restart MacOS systems

  • This attack affects all browsers on iOS, including Safari, and Mail in macOS.
  • Apple device users are recommended not to click on random links to stay safe from the attack.

A new attack method that could crash or restart Apple devices by merely visiting a web page, a security expert has discovered. This attack leverages a weakness in iOS’ web rendering WebKit - an open source web browser engine approved by Apple.

Security researcher Sabri Haddouche, who developed the new attack technique, discovered that the attack can also cause Safari and Mail on macOS to freeze when visiting the web page. The web page used for the attack contains 15 lines of codes with certain Cross-Site Scripting (CSS) and HTML.

How the attack works

"The attack uses a weakness in the -webkit-backdrop-filter CSS property," Haddouche told BleepingComputer. "By using nested divs with that property, we can quickly consume all graphics resources and crash or freeze the OS. The attack does not require Javascript to be enabled therefore it also works in Mail. On macOS, the UI freeze. On iOS, the device restart."

The attack affects all browsers on iOS, including Safari, and Mail in macOS. However, Windows and Linux users are not affected by this bug.

"All browsers on iOS are affected because the underlying rendering engine is WebKit. As per App Store rules, it is forbidden to bring your own rendering engine," Haddouche added, BleepingComputer reported.

The experiment was performed successfully on iOS 12. By executing the code, the device rebooted completely. However, when the same code was used on iOS 11.4.1, it only caused the device to restart.

Haddouche told BleepingComputer that he has devised another attack method that uses HTML, CSS, and JavaScript to completely crash macOS systems. However, this attack technique is under development and has not been disclosed yet. The researcher explained that in this attack, the macOS remained in the same state even after rebooting, while simultaneously redirecting Safari to the malicious page. This, in turn, causes the macOS system to freeze again.

The proof-of-concept of the attack has been published on GitHub by Lawrence Abrams from BleepingComputer.

In order to stay safe, Haddouche has currently suggested Apple device users not to click on any random link. Meanwhile, Apple is investigating the matter.