WebKit flaw crashes iPhones when malicious page opened in browsers, HTML-rendering apps

AppleInsiderAppleInsider
Posted:
in iOS
A security researcher has disclosed a bug in WebKit that can cause a kernel panic on an iOS device, prompting a restart of an affected iPhone or iPad, by exploiting a vulnerability in the rendering engine using just 15 lines of code in a webpage.




Posted to Twitter on Saturday, the code released by researcher Sabri Haddouche is capable of causing an iOS device to crash upon viewing, reports TechCrunch. The flaw also affects macOS but in a lesser way, with Safari freezing shortly after visiting the same site.

While only 15 lines long, the bug is effective in consuming resources on iOS devices, all by abusing CSS. Haddouche explained the page nested a large number of "div" tags within a backdrop filter property in CSS, which in turn exhausts a device's resources and commences a kernel panic. The iOS device then reboots to avoid any potential damage.

"Anything that renders HTML on iOS is affected," according to Haddouche, which includes any app that uses WebKit, Apple's rendering engine of choice. While this extends to other browsers than Safari, which are forced to use WebKit instead of another rendering engine, this also applies to apps that have their own browser to view the contents of links, including Twitter, and any that renders HTML, such as email clients.

How to force restart any iOS device with just CSS?

Source: https://t.co/Ib6dBDUOhn

IF YOU WANT TO TRY (DON'T BLAME ME IF YOU CLICK) : https://t.co/4Ql8uDYvY3

-- Sabri (@pwnsdx)


While the code can crash an iOS device, and it could be used by others to cause someone's iPhone or iPad to crash by including the lines in a message, it is a mostly benign vulnerability in WebKit. Haddouche notes the code cannot be used to execute malware or to perform attacks that could steal a user's data, but it is difficult to stop the attack from happening once those lines are loaded.

Haddouche has released the code via GitHub in a safe-to-view fashion, as well as through an active site so interested parties can see how it works on their own hardware. The researcher claims he advised Apple about the issue on Friday, with the company said to be investigating the matter.

Comments

  • Reply 1 of 12
    macplusplusmacplusplus Posts: 2,112member
    You can do that with any program or library, not only with WebKit. Every software has implementation limits. Embed 1000 images into a Word document, most probably it will crash and you can brag about finding a “vulnerability” in Word. What that guy has done is not different. Find a way to execute malicious code when WebKit crashes then that is vulnerability, not the crash by itself.
    edited September 2018
  • Reply 2 of 12
    nunzynunzy Posts: 662member
    This iis not Apple's fault. But watch the haters rejoice!
  • Reply 3 of 12
    crowleycrowley Posts: 10,453member
    macplusplus said:
    You can do that with any program or library, not only with WebKit. Every software has implementation limits. Embed 1000 images into a Word document, most probably it will crash and you can brag about finding a “vulnerability” in Word. What that guy has done is not different. Find a way to execute malicious code when WebKit crashes then that is vulnerability, not the crash by itself.
    True, but it'd be better if WebKit had better error catching and resource handling to prevent a crash in the first place.
    dysamoria
  • Reply 4 of 12
    AloysiusAloysius Posts: 41member
    ...and why would anyone want to do this? What's the benefit? And what's the harm, other than annoyance?

    I guess you could say iOS could have a more elegant solution, but it does exactly what it's supposed to do: protect the device from malicious code. It just it bluntly, be rebooting.

  • Reply 5 of 12
    gatorguygatorguy Posts: 24,213member
    Aloysius said:
    ...and why would anyone want to do this? What's the benefit? And what's the harm, other than annoyance?

    I guess you could say iOS could have a more elegant solution, but it does exactly what it's supposed to do: protect the device from malicious code. It just it bluntly, be rebooting.

    Correct. It's just silly "gotcha" stuff that kids find funny, no permanent harm and not even really malicious. 
    edited September 2018
  • Reply 6 of 12
    crowleycrowley Posts: 10,453member
    Aloysius said:

    I guess you could say iOS could have a more elegant solution, but it does exactly what it's supposed to do: protect the device from malicious code. 
    Seems a bit heavy-handed for the entire device to reboot from an overload of WebKit.  I would've expected WebKit processes to fail and need reinitialising, not the entire OS to be brought down.  But maybe WebKit is just so important to modern iOS that this isn't an option.  
    dysamoria
  • Reply 7 of 12
    volcanvolcan Posts: 1,799member
    Wow it crashed my iMac as well. It is not just iOS devices. Safari for macOS is affected as well.

    I opened the source code in Chrome. What is going on is a CSS div style that applies a backdrop blur filter. Then on line 15 there are thousands of empty div tags all being styled. It is not simply 15 lines that seem to suggest it is so simple. What is really happening is that Safari is unable to process the scale of the rendering effect. Chrome on macOS is unaffected.
    edited September 2018 dysamoria
  • Reply 8 of 12
    netroxnetrox Posts: 1,421member
    macplusplus said:
    You can do that with any program or library, not only with WebKit. Every software has implementation limits. Embed 1000 images into a Word document, most probably it will crash and you can brag about finding a “vulnerability” in Word. What that guy has done is not different. Find a way to execute malicious code when WebKit crashes then that is vulnerability, not the crash by itself.
    A well designed program should alert users if resources are being allocated excessively that can lead to crash than to crash without warning. 
    dysamoria
  • Reply 9 of 12
    volcanvolcan Posts: 1,799member
    netrox said:
    A well designed program should alert users if resources are being allocated excessively that can lead to crash than to crash without warning. 
    It is simply a flaw in the application. There is no time to alert the user. As soon as the page starts loading the crash is instantaneous.
  • Reply 10 of 12
    auxioauxio Posts: 2,727member
    volcan said:
    Wow it crashed my iMac as well. It is not just iOS devices. Safari for macOS is affected as well.

    I opened the source code in Chrome. What is going on is a CSS div style that applies a backdrop blur filter. Then on line 15 there are thousands of empty div tags all being styled. It is not simply 15 lines that seem to suggest it is so simple. What is really happening is that Safari is unable to process the scale of the rendering effect. Chrome on macOS is unaffected.
    If you read the comments on the GitHub page, the only reason Chrome doesn't crash is because the backdrop filter feature isn't enabled by default.  If you turn it on in the Experimental Web Platform features, then Chrome freezes/crashes too.
    edited September 2018 dysamoria
  • Reply 11 of 12
    IreneWIreneW Posts: 303member
    volcan said:
    netrox said:
    A well designed program should alert users if resources are being allocated excessively that can lead to crash than to crash without warning. 
    It is simply a flaw in the application. There is no time to alert the user. As soon as the page starts loading the crash is instantaneous.
    But a flaw in an application really shouldn't be able to bring the OS down. That is what the sandboxing is all about.
    dysamoria
  • Reply 12 of 12
    dysamoriadysamoria Posts: 3,430member
    Yet another reason to hate CSS ;-) :-D
Sign In or Register to comment.