A few lines of CSS can send nearly any iPhone or iOS device crashing.
Over the weekend, security researcher Sabri Haddouche tweeted out his discovery: a web page with just 15 lines of code that will crash any iPhone or iOS device that clicks on it running iOS 9 or later. We confirmed with an iPhone running 11.4.1, as well as a phone running the public beta of iOS 12.
The crash works by overloading a backdrop CSS, used to change the background color of web pages, with nested elements. This puts a heavy strain on the processor, causing the mobile OS to simply shut down and restart. If you’re reading this on an iOS device and want to check for yourself, you can click the link below, though it will crash and cause your phone to restart.
Perhaps more worryingly, the same tactic can be used on macOS users using Apple’s Safari browser. “With the current attack (CSS/HTML only), it will just freeze Safari for a minute then slow it down,” said Haddouche to ZDNet. “You will be able to close the tab afterward … The reason why I did not publish it is that it seems that Safari persists after a forced reboot and the browser is launched again, therefore bricking the user’s session as the malicious page is executed once again.”
The link is somewhat reminiscent of the Telugu bug that circulated earlier this year, where texting someone a character from the Telugu alphabet — India’s third-most-spoken language — would lock them out of Messages altogether. It’s also similar to a bug that used bad video encoding to crash users’ iPhones in 2016, or the “Effective Power” bug from 2015. This vulnerability distinguishes itself in just how dead-simple it is, however — it’s just 15 lines of code. In each case, it took Apple about five days to patch up the vulnerability.
Haddouche says he contacted Apple about the bug before making the vulnerability public. Apple has yet to respond.