15 lines of CSS code can cause Apple devices to crash, and the latest iOS 12 is not immune

Just 15 lines of CSS to crash your iPhone

Security researcher Sabri Haddouche of Wire has discovered a new attack that can cause iOS to reboot and macOS to freeze simply by visiting a webpage containing certain CSS and HTML. Windows and Linux users are not affected by this bug.

The attack exploits a weakness in the -webkit-backdrop-filter CSS property, by using nested divs with that property, it can quickly consume all graphical resources and crash or freeze the operating system. The attack does not require Javascript to be enabled, so it also works in Mail. On macOS, this manifests as a UI freeze. On iOS, this manifests itself as a device reboot. The attack affects all browsers on iOS, as well as Safari and Mail in macOS, since they all use the WebKit rendering engine.

For those who want to see the code that leads to this attack, the researchers have published it on their GitHub page.

Be careful when clicking on rawgit.com links, as it can quickly crash iOS or cause problems on your Mac.

rawgit.com link:

https://www.bleepingcomputer.com/news/security/new-css-attack-restarts-an-iphone-or-freezes-a-mac/

Code GitHub:

https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea

Open this GitHub page and you can see the code as follows:

The red part above is a base64-encoded image, and below it are many <div> tags. As Haddouche said, the purpose of the attack is to consume device resources by embedding a large number of HTML element tags in the filter attributes.