HTML, alongside Cascading Style Sheets (CSS) and JavaScript form a triad of cornerstone technologies for the World Wide Web.
But who knew that a simple seemingly harmless piece code that consists of only a few lines could have dramatic effects on devices that tried to view it?
A security researcher has discovered a nasty vulnerability that can effect Apple's Safari web browser. The bug here can eat up all iPhones and iPads resources, forcing the devices to restart to prevent damage. The vulnerability can be exploited by loading an HTML page that uses some carefully-crafted CSS code.
The code itself isn't a complex one, and shouldn't be damaging as it only tries to apply a CSS effect known as backdrop-filter to a series of nested page segments (DIVs). But the thing is, the code can eat up all the device's resources and causes a kernel panic.
The bug was discovered by Sabri Haddouche, a software engineer and security researcher. He tweeted about the bug, and published a proof-of-concept source code on GitHub, which only consists of 15 lines of CSS and HTML.
How to force restart any iOS device with just CSS?
Source: https://t.co/Ib6dBDUOhn
IF YOU WANT TO TRY (DON’T BLAME ME IF YOU CLICK) : https://t.co/4Ql8uDYvY3— Sabri (@pwnsdx) September 15, 2018
The problem comes from nesting a ton of elements - such as the DIV tags - inside a backdrop filter property in CSS.
"By using nested DIVs with that property, we can quickly consume all graphic resources and crash or freeze the OS. The attack does not require JavaScript to be enabled therefore it also works in Mail. On macOS, the UI freeze. On iOS, the device restart," explained Haddouche.
This attack affects all browsers on iOS, as well as Safari and Mail in macOS, because they all use the WebKit rendering engine.
"All browsers on iOS are affected because the underlying rendering engine is WebKit," he continued. "As per App Store rules, it is forbidden to bring your own rendering engine."
"Anything that renders HTML on iOS is affected," he said.
Users that have tested Haddouche web page bug on both MacOS and iOS, confirmed that their Safari browser froze and crashed.
This is a huge inconvenience to users.
What’s more, it was discovered that the issue also affects users using Microsoft Edge and Internet Explorer, in which the bug causes a temporary freeze, despite original reports suggesting it only affects WebKit-based browsers.
The good news about the bug is that, it is only annoying. The CSS-based bug can’t be used to run malicious code, Haddouche said, meaning malware can’t run and data can't be stolen using this attack. But there’s no easy way to prevent the attack from working, before Apple and Microsoft issue a fix.
Visiting the page from Mozilla Firefox and Google Chrome did not crash users' devices. Both of these browsers are unaffected by the issue, and can load the page as expected.
Haddouche said that he created an additional attack using HTML, CSS, and JavaScript that can totally freeze macOS computers. He has not released the code as the bug persists after reboot in which the macOS will relaunch Safari with the malicious page as well, making the computer freeze again.
Haddouche explained that he discovered the vulnerability while researching reliable denial of service (DoS) bugs on multiple browsers.