Short Script Can Make Your Apple Crash and Burn. A couple of months ago, this author needed to fix an issue through an online system with only an iPhone at hand; but the page wasn’t rendering correctly on Safari, so this author downloaded Edge, Chrome and Firefox. But surprisingly, the page still rendered the same wherein a header was blocking an important table row that needed to be edited. Just realized that Apple’s webpage rendering engine, Webkit was used by all the browsers mentioned as mandated by Apple, meaning that the only difference between all these browsers were their respective little features and not much else. This may now bite Apple’s single-minded rear as a simple CSS script, properly weaponized can cause any Apple device to crash and burn, technically in the opposite order. It has recently been discovered by a security researcher that Apple’s WebKit rendering engine has a vulnerability that can crash and restart any iOS and MacOS device. Fifteen lines of code is all it would take for any iOS device browsing the web to burn through its resources, crash and then reboot, according to researcher Sabri Haddouche from Wire. Basically, nesting some web elements within the CSS backdrop filter will cause the device to burn through its resources faster than a lit match and no matter what your favorite browser is, you will encounter this problem just because your device is from Apple. “The attack uses a weakness in the webkit-backdrop filter CSS property… By using nested divs with that property, we can quickly consume all graphic resources and crash or freeze the OS… All browsers on iOS are affected because the underlying rendering engine is WebKit… as per AppStore rules, it is forbidden to use your own rendering engine.†–Sabri Haddouche, statement to BleepingComputer It’s weird how we as consumers get duped into downloading a variety of browsers, saying they’re better when they technically do the same thing; unless you have browser extensions you can’t live without. Apple will still require browser makers to use their WebKit rendering engine to render web pages, which by the way, makes life for them easier. https://youtu.be/3kgbkowrUH4 All that’s left is to add their browser’s respective bells and whistles. The problem is that whatever vulnerability WebKit has, the issue becomes universal. There is no escape from the vulnerability just mentioned and any HTML/CSS bug a website might have as per the situation described in the opening. And since iOS and MacOS share the same rendering engine, Mac users will surely experience the same thing. Windows, Linux and Android users thankfully have nothing to worry about but Apple has to patch this immediately in case this news makes it mainstream. The lackluster changes Apple made to their sequential iPhone X upgrade and audacious move in scrimping on dongles isn’t helping. This also applied to the newly-released iOS 12. The good news is, the vulnerability by itself is actually harmless apart from the forced reboot, as no personal or financial information gets leaked outside to malicious parties. This issue becomes an old school case of mischief for pranksters who have no love for Apple and their antics. These folks can simply spread out a text message that has a link to a webpage that contains this nesting script resulting in crashed iPhones, iPads and Macs (that use Safari). But this simple vulnerability can still be exploited by more malicious persons into doing something different and the potential is high as there are literally hundreds of millions of Apple devices actively used. The bad news however is that this prank can be made persistent, as Haddouche was able to make a script that actually reloads the same page in case the user restarts the browser that launched it. If you used Safari to access the page, launching it again will freeze or reboot your device. Thanks to Sabri, Apple has been made aware of this matter and as usual, it may take some time before a patch is issued and actually downloaded.
For more tutorials, news, and resources on hacking and cybersecurity, visit our blog at DarkbyteGear.com.