14 DAY TRIAL // Sabri Haddouche unveiled proof of concept (PoC) code for crashing Apple's Safari iOS web browser with a simple click on a link which loads a specially crafted web page containing an exploit for the Webkit rendering engine's -webkit-backdrop-filter CSS property, provoking an immediate kernel panic and a full system reboot.
Even though at first Sabri's PoC was released as an iOS vulnerability, very quickly troves of other Twitter users came back announcing that other web browsers are also crashing after loading the PoC, most of them even taking down the entire operating system with them.
In an interview given to ZDNet, Haddouche said that "the attack uses a weakness in the -webkit-backdrop-filter CSS property, which uses 3D acceleration to process elements behind them. By using nested divs with that property, we can quickly consume all graphic resources and freeze or kernel panic the OS."
Although the researcher said that the PoC currently works only for the Safari for iOS web browser, he subsequently came back with a reply to the original tweet saying that all Internet Explorer versions are also exploitable.
This might be proof that, as reported by a large number of Twitter users and already mentioned above, this exploit doesn't only crash Safari for iOS, but web browsers from other platforms as well.
The HTML and CSS proof of concept's threat scope goes beyond Safari for iOS
To be more exact, users have reported that everything from Linux machines running Firefox and Apple Watch devices running watchOS 5 to PCs with Internet Explorer and Macs with Google's Chrome web browser either restart or freeze when loading Sabri's deadly link.
It's also important to mention that Apple requires all enrolled macOS and iOS developers to use the WKWebView class for displaying interactive web content within their apps (i.e., whenever an in-app web browser is needed), on iOS 8.0+ and OS X 10.10+.
Unfortunately, because of it, we can safely assume that this translates into all apps using the Webkit rendering engine to allow their users to view web content also being vulnerable to crashes when loading this specially designed page and, hypothetically, bring down the entire OS after the kernel panic.
As Haddouche said, he already notified Apple about the Webkit vulnerability he discovered and Cupertino is investigating it and possibly working on a fix to be included in a future release.
How to force restart any iOS device with just CSS? đź’ŁSource: https://t.co/Ib6dBDUOhn
IF YOU WANT TO TRY (DON’T BLAME ME IF YOU CLICK) : https://t.co/4Ql8uDYvY3 — Sabri (@pwnsdx) September 15, 2018