A security researcher named Sabri Haddouche has discovered a new flaw in WebKit, the layout engine which allows Apple’s Safari browser to render web pages, that causes an iOS device to crash with just 15 lines of code embedded in a link. The code takes advantage of a vulnerability in WebKit and overloads the system resources which forces an iPhone or an iPad to crash when the webpage is accessed via the Safari browser.
“Anything that renders HTML on iOS is affected”, Sabri was quoted as saying by TechCrunch. The security expert has published the code on his GitHub page and has also created a webpage containing the same code that can cause an iOS device to crash or reboot.
How to force restart any iOS device with just CSS? 💣
IF YOU WANT TO TRY (DON’T BLAME ME IF YOU CLICK) : https://t.co/4Ql8uDYvY3
— Sabri (@pwnsdx) September 15, 2018
The security researcher explained that a number of elements in the code are repeated ‘inside a backdrop filter property in CSS’, which end up using all of the available system resources and trigger a process called ‘kernel panic’ that shuts down a device in order to prevent damage. For some users, their device will simply shut down, while in the case of a few others, their iPhone or iPad will reboot.
It has been verified that the code affects devices running the most recent stable iOS (v11.4.1) build as well as the latest iOS 12 beta update. The exploit can also cause macOS devices to freeze when the webpage is opened in Safari.
The code is fool-proof and there is no way to prevent it from shutting down or rebooting an iOS device, but luckily, the exploit cannot be used to seed malware for stealing data or doing any other form of damage.