Remember 2015 and the “Unicode of Death”, when a mere string of text in a messaging app was able to force your iPhone reboot by crashing it? Well – it is happening again. This time all that’s needed to crash the phone though are a webpage and some HTML and CSS.
macOS freezes, iOS restarts
Imagine you are being notified that a new mail is waiting for you in your inbox. You open your iPhone, click on your mail icon, see the mail, and suddenly your device reboots. You wonder why, think nothing of it and try it again – another reboot. If that happens to you, you might have fallen victim to the latest macOS / iOS weakness.
The attack is rather simple. Sabri Haddouche, a security researcher at Wire told BleepingComputer that it uses a weakness in the -webkit-backdrop-filter CSS property. Nested divs (HTML containers) which use it can consume all graphic resources and crash or freeze the OS. Thanks to its simple nature and it not even requiring Javascript in order to work, it also can be sent via mail and crash phones and Macs from there.
— Sabri (@pwnsdx) September 15, 2018
All browsers “supported”
Since every browser on iOS and Mac has to use the same underlying rendering engine – WebKit – all browsers are affected. There is no exception as Apple basically says no to any other rendering engine.
If you want to try it out yourself, just follow this link. But be warned: Depending on your iOS version your phone will either reboot or reload the UI. A Mac on the other hand will “only” get slower and slower. Here you can close the browser and should be fine. By the way: There is a similar attack that will freeze the Mac, too, but Haddouche decided not to release it since it persists after a reboot.
No fix yet
As of now there is no fix from Apple available yet. In the end all you can do is to make sure not to click on any random links and to open no mails from unknown sources. If you fall into the “trap” it’s more a nuisance than a threat though: Your device will reboot and you’ll be fine afterwards.