A New CSS Attack Can Freeze Your Mac and Restart Your iPhone
Security researcher Sabri Haddouche recently gave proof-of-evidence of a newly developed CSS attack that specifically targets iPhone and Mac users. The attack, which you can see in action here, utilizes vulnerabilities located in the rendering engine WebKit to overload the graphics of iPhones and Macs, causing them to reboot, respring, or simply freeze. MacOS and iOS users should be cautious when clicking on random HTML-links.
What Are CSS Attacks?
A CSS Attack, also known as Cross-Site Scripting, is an attack that takes advantage of the vulnerabilities found in web applications. The attacks are based on the “same-origin policy” and use malicious content scripted onto a compromised website. When a user clicks on the website in the user inadvertently executes the malicious code. These websites are mostly shared via unknown emails. In its most basic format, a CSS attack is an attack on the privacy of internet users.
Up until recently, CSS attacks targeted specific websites. Their purpose was to gather sensitive information, such as bank credentials, cookie sessions, and log-in information. Security researcher Sabri Haddoushe’s CSS and HTML now targets iOS and MacOS users. The CSS freezes, reboots, or resprings the devices (based on the version of iOS each device is running). The basis of the attack is simple enough: 15 lines of code with a backdrop-filter and a series of nested page segments which use up all of the iOS device’s resources. The attack benefits from the vulnerability found in the rendering engine WebKit, which is used on all browsers available through the Apple store.
Haddoushe also claims to have developed a CSS attack using HTML, CSS, and Javascript that renders MacOS in a continuous loop of rebooting. Because Safari reloads the last web-page you were on, the affected webpage will keep reloading and crashing the system over and over again. Unlike the first CSS attack, Haddoushe did not release proof-of-evidence for the MacOS CSS attack.
What Does this Mean for iOS Users?
Apple users used to trust that iOS and MacOS products were invulnerable to hacks and attacks. In recent years, several Apple vulnerabilities have been found, proving that the PC competitor isn’t as hack-proof as once advertised. Haddoushe’s CSS attack isn’t malicious by nature. However, it does pose the possibility of using iOS’ WebKit vulnerabilities for more data-theft oriented CSS attacks. This is a big privacy concern for iOS and MacOS users. Since Apple forces all browsers and HTML-based apps to use WebKit, the problem may only get bigger. In theory, this kind of attack can spread through all WebKit using apps, which isn’t so great for anyone planning on using Apple’s store any time soon.
iOS CSS Attack – Final Thoughts
Haddouche found these vulnerabilities while investigating different DoS attacks on multiple browsers. So far, it doesn’t look like there’s a way to stop the attack once you click on the link. That being said, you can still protect your data from being targetted and stolen by CSS attacks by using a powerful cyber-security tool like a VPN. For now, all you can do is make sure that you don’t click on any links that you can’t recognize. Be sure to be up-to-date on all of the security and privacy measures you can take.