INSUBCONTINENT EXCLUSIVE:
A security researcher has found a new way to crash and restart any iPhone — with just a few lines of code.
Sabri Haddouche tweeted a
proof-of-concept webpage with just 15 lines of code which, if visited, will crash and restart an iPhone or iPad
Those on macOS may also see Safari freeze when opening the link.
The code exploits a weakness in iOS& web rendering engine WebKit, which
Apple mandates all apps and browsers use,Haddouche told TechCrunch
He explained that nesting a ton of elements — such aslt;div>tags — inside a backdrop filter property in CSS, you can use up all of the
device resources and cause a kernel panic, which shuts down and restarts the operating system to prevent damage.
Anything that renders HTML
on iOS is affected,& he said
That means anyone sending you a link on Facebook or Twitter, or if any webpage you visit includes the code, or anyone sending you an email,
he warned.
How to force restart any iOS device with just CSS
Source: https://t.co/Ib6dBDUOhn
IF YOU WANT TO TRY (DON&T BLAME ME IF YOU
CLICK) https://t.co/4Ql8uDYvY3
mdash; Sabri (@pwnsdx) September 15, 2018
TechCrunch tested the exploit running on the most recent mobile
software iOS 11.4.1, and confirm it crashes and restarts the phone
Thomas Reed, director of Mac Mobile at security firm Malwarebytes confirmed that the most recent iOS 12 beta also froze when tapping the
link.
The lucky whose devices won''t crash may just see their device restart (or &respring&) the user interface instead.
For those curious,
you can see how it workswithout it running the crash-inducing code.
The good news is that as annoying as this attack is, it can''t be used
to run malicious code, he said, meaning malware can''t run and data can''t be stolen using this attack
But there no easy way to prevent the attack from working
One tap on a booby-trapped link sent in a message or opening an HTML email that renders the code can crash the device instantly.
Haddouche
contacted Apple on Friday about the attack, which is said to be investigating
A spokesperson did not immediately respond to a request for comment.
