قالب وردپرس درنا توس
Home / Technology / Nasty piece of CSS code crashes and restarts iPhone

Nasty piece of CSS code crashes and restarts iPhone



A security scientist has detected a vulnerability in the WebKit rendering engine used by Safari that crashes and restarts the iOS operating system used by iPhones and iPads.

Vulnerability can be exploited by loading an HTML page using custom-designed CSS code. The CSS code is not very complicated and tries to use a CSS effect known as the background filter for a number of embedded side segments (DIVs).

Background filter is a relative new CSS property and appears blurred or color shifting to the area behind an item. This is a heavy processing task, and some software developers and web developers have speculated that the rendering of this effect takes a twelve on the iOS graphics management library, and eventually causes a crash of the mobile OS completely.

Sabri Haddouche, a software engineer and security researcher at Encrypted Instant Messaging Wire, is the one who discovered the vulnerability and published proof of concept code on Twitter earlier today.

This link will crash your iOS device, while this link shows the source code behind the vulnerability. Haddouche also tweeted a video of the vulnerability that crashed his phone:

"The attack uses a weakness in the CSS property for the webkit background filter, which uses 3D acceleration to process elements behind them," said Haddouche ZDNet ] in an interview.

"Using nested div with that property, we can quickly consume all graphical resources and freeze or core panic operating system."

But Haddouche also says that vulnerability also affects macOS systems and not just iOS.

"With the current attack (CSS / HTML only), it will only freeze Safari for a moment and then slow it down," said the researcher ZDNet . "You will be able to close the tab afterwards."

"To make it work on macOS, it requires a modified version that contains Javascript," he added. "The reason I did not publish it is that Safari appears to have resumed after a forced restart and the browser is re-launching, thus slipping the user's session since the malicious page is executed again."

The researcher says he has already notified Apple about the issue before publishing the code on Twitter.

"I contacted them using their security product email," said Haddouche ZDNet . "They confirmed that they got the issue and investigated it."

Haddouche told ZDNet He discovered the vulnerability while researching trusted service names (DoS) on multiple browsers. At the beginning of the month, Haddouche also released another edition that crashed Chrome and Chrome OS with a line of JavaScript.

As an iOS developer told ZDNet vulnerability could be more widespread than previously thought. This is because Apple forces all browsers and HTML-compatible applications listed on the App Store to use its WebKit rendering engine, which means the problem is likely to crash any app as can load a webpage.


Source link