New CSS Attack Restarts an iPhone or Freezes a Mac
A new attack has been discovered that will cause iOS to restart or respring and macOS to freeze simply by visiting a web page that contains certain CSS & HTML. Windows and Linux users are not affected by this bug.
"The attack uses a weakness in the -webkit-backdrop-filter CSS property," Haddouche told BleepingComputer. "By using nested divs with that property, we can quickly consume all graphic resources and crash or freeze the OS. The attack does not require Javascript to be enabled therefore it also works in Mail. On macOS, the UI freeze. On iOS, the device restart."
This attack affects all browsers on iOS, as well as Safari and Mail in macOS, because they all use the WebKit rendering engine.
"All browsers on iOS are affected because the underlying rendering engine is WebKit," Haddouche explained. "As per App Store rules, it is forbidden to bring your own rendering engine."
source on github: https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea
poc on youtube: https://www.youtube.com/watch?v=9FthGZ6GhfU
https://www.bleepingcomputer.com/news/security/new-css-attack-restarts-an-iphone-or-freezes-a-mac/
#mac
#apple
#iphone
#css
#html
@sec_nerd_en
A new attack has been discovered that will cause iOS to restart or respring and macOS to freeze simply by visiting a web page that contains certain CSS & HTML. Windows and Linux users are not affected by this bug.
"The attack uses a weakness in the -webkit-backdrop-filter CSS property," Haddouche told BleepingComputer. "By using nested divs with that property, we can quickly consume all graphic resources and crash or freeze the OS. The attack does not require Javascript to be enabled therefore it also works in Mail. On macOS, the UI freeze. On iOS, the device restart."
This attack affects all browsers on iOS, as well as Safari and Mail in macOS, because they all use the WebKit rendering engine.
"All browsers on iOS are affected because the underlying rendering engine is WebKit," Haddouche explained. "As per App Store rules, it is forbidden to bring your own rendering engine."
source on github: https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea
poc on youtube: https://www.youtube.com/watch?v=9FthGZ6GhfU
https://www.bleepingcomputer.com/news/security/new-css-attack-restarts-an-iphone-or-freezes-a-mac/
#mac
#apple
#iphone
#css
#html
@sec_nerd_en