- A new CSS-Based Ios webkit attack can crash your iPhones or Ipads and freeze your Mac Computer System. This will affect only Apple iPhones, iPads and Mac computer, this bug, however; doesn’t affect users which uses Windows or Linux.
A
security researcher at Wire, the instant encrypted messages app wire, tweeted on Twitter on Saturday about his IOS Webkit Attack discovery with PoC (Proof-Of-Concept) with the URL link to a webpage that will crash iOS devices. The Source code of the webpage containing the exploit which is only written with 15 lines of specialized HTML & CSS code was posted by Haddouche on GitHub.
The 15 lines of code snippet when visited on any iPhone, iPads, can cause your iOS devices to restart and when visited on a Mac Computer it freezes.
Within Haddouche’s report and PoC, the web attack exploits which targeted Apple’s Web rendering engine Webkit. This exploited was developed with on HTML and CSS, which contains numerous <div> tags.
What is a Webkit you may ask?? Well, a WebKit is what web browser engine used by Safari, App Store, Apple Mail and many other apps on MacOS, IOS devices, and even Linux.
The base of Apple’s development rules for the App Store which they don’t permit developers to bring their own rendering engine for there apps on IOS devices. All apps and browsers are therefore required to use WebKit, which makes pretty much all apps within the app store that has to do some form of browser reneger susceptible to the exploits.
You May also like: iPhone Lock Down for 48 Years
“The attack uses a weakness in the -webkit-backdrop-filter CSS property. By using nested divs with that property, we can quickly consume all graphics resources and crash or freeze the OS. The attack does not require Javascript to be enabled therefore it also works in Mail. On macOS, the UI freeze. On iOS, the device restart”, Haddouche told Bleeping Computer.
So the HTML/CSS Webkit attack exploit on macOS only slows down the browser but adding JavaScrpt unto the equation can do more dangerous manage such as to brick the macOS.
“You will be able to close the tab afterward. To make it work on macOS, it requires a modified version containing JavaScript. The reason why I did not publish it, is that it seems that Safari persists after a forced reboot and the browser is launched again, therefore bricking the user’s session as the malicious page is executed once again”, he also stated.
What we can’t do with the IOS WebKit Attack bug?
Haddouche stated hat the attack cant be used to run any malicious software or perform attacks that could steal any user’s data. But if someone wanted to create mayhem or be notorious and selfish they can choose to create a fake domain with the scripts and spreads it around which click fingers will click on it and iPhone users which experience restarted which will be annoying with no major consequences.
Sabri Haddouche, the researcher who discovered the WebKit Attack claims that he notify Apple about the issue before publicized is discovery and source codes on social media sites. Apple has confirmed that they are aware of the issue and they are investigating it
Watch the video below for a demonstration.