Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

WebKit flaw crashes iPhones when malicious page opened in browsers, HTML-rendering apps

A security researcher has disclosed a bug in WebKit that can cause a kernel panic on an iOS device, prompting a restart of an affected iPhone or iPad, by exploiting a vulnerability in the rendering engine using just 15 lines of code in a webpage.

Posted to Twitter on Saturday, the code released by researcher Sabri Haddouche is capable of causing an iOS device to crash upon viewing, reports TechCrunch. The flaw also affects macOS but in a lesser way, with Safari freezing shortly after visiting the same site.

While only 15 lines long, the bug is effective in consuming resources on iOS devices, all by abusing CSS. Haddouche explained the page nested a large number of "div" tags within a backdrop filter property in CSS, which in turn exhausts a device's resources and commences a kernel panic. The iOS device then reboots to avoid any potential damage.

"Anything that renders HTML on iOS is affected," according to Haddouche, which includes any app that uses WebKit, Apple's rendering engine of choice. While this extends to other browsers than Safari, which are forced to use WebKit instead of another rendering engine, this also applies to apps that have their own browser to view the contents of links, including Twitter, and any that renders HTML, such as email clients.

While the code can crash an iOS device, and it could be used by others to cause someone's iPhone or iPad to crash by including the lines in a message, it is a mostly benign vulnerability in WebKit. Haddouche notes the code cannot be used to execute malware or to perform attacks that could steal a user's data, but it is difficult to stop the attack from happening once those lines are loaded.

Haddouche has released the code via GitHub in a safe-to-view fashion, as well as through an active site so interested parties can see how it works on their own hardware. The researcher claims he advised Apple about the issue on Friday, with the company said to be investigating the matter.



12 Comments

macplusplus 9 Years · 2116 comments

You can do that with any program or library, not only with WebKit. Every software has implementation limits. Embed 1000 images into a Word document, most probably it will crash and you can brag about finding a “vulnerability” in Word. What that guy has done is not different. Find a way to execute malicious code when WebKit crashes then that is vulnerability, not the crash by itself.

nunzy 6 Years · 662 comments

This iis not Apple's fault. But watch the haters rejoice!

crowley 15 Years · 10431 comments

You can do that with any program or library, not only with WebKit. Every software has implementation limits. Embed 1000 images into a Word document, most probably it will crash and you can brag about finding a “vulnerability” in Word. What that guy has done is not different. Find a way to execute malicious code when WebKit crashes then that is vulnerability, not the crash by itself.

True, but it'd be better if WebKit had better error catching and resource handling to prevent a crash in the first place.

Aloysius 6 Years · 41 comments

...and why would anyone want to do this? What's the benefit? And what's the harm, other than annoyance?

I guess you could say iOS could have a more elegant solution, but it does exactly what it's supposed to do: protect the device from malicious code. It just it bluntly, be rebooting.

gatorguy 13 Years · 24627 comments

Aloysius said:
...and why would anyone want to do this? What's the benefit? And what's the harm, other than annoyance?

I guess you could say iOS could have a more elegant solution, but it does exactly what it's supposed to do: protect the device from malicious code. It just it bluntly, be rebooting.

Correct. It's just silly "gotcha" stuff that kids find funny, no permanent harm and not even really malicious.