A security researcher has discovered a vulnerability in the WebKit rendering engine used by Safari that crashes and restarts the iOS operating system used by iPhones and iPads.
The vulnerability can be exploited by loading an HTML page that uses specially crafted CSS code. The CSS code isn’t very complex and tries to apply a CSS effect known as backdrop-filter to a series of nested page segments (DIVs).
Backdrop-filter is a relative new CSS property and works by blurring or color shifting to the area behind an element. This is a heavy processing task, and some software engineers and web developers have speculated that the rendering of this effect takes a toll on iOS’ graphics processing library, eventually leading to a crash of the mobile OS altogether.
Sabri Haddouche, a software engineer and security researcher at encrypted instant messaging app Wire, is the one who discovered the vulnerability, and published proof-of-concept code on Twitter earlier today.
“The attack uses a weakness in the -webkit-backdrop-filter CSS property, which uses 3D acceleration to process elements behind them,” Haddouche told ZDNet in an interview.
“By using nested divs with that property, we can quickly consume all graphic resources and freeze or kernel panic the OS.”
But Haddouche also says the vulnerability also affects macOS systems and not just iOS.
“With the current attack (CSS/HTML only), it will just freeze Safari for a minute then slow it down,” the researcher told ZDNet. “You will be able to close the tab afterward.”
The researcher says he already notified Apple of the issue before publishing the code on Twitter.
“I contacted them using their security product email,” Haddouche told ZDNet. “They confirmed they received the issue and are investigating it.”
On a side note, as one iOS developer told ZDNet, the vulnerability could be more widespread than previously thought. This is because Apple forces all browsers and HTML-capable apps listed on the App Store to use its WebKit rendering engine, meaning the issue will most likely crash any app that’s capable of loading a web page.