Every now and then we hear about some link or a long string of text that is able to crash iPhones and iPads. In the past few years we have had several instances when such bugs that mostly affected messaging apps were leaked to public and caused havoc, until Apple pushed a software update to fix the bug. What made those bugs so effective was the fact that they did not require much input from the affected unsuspecting user, all you had to do is open the text message thread and your device will crash, entering a boot loop in many cases.
Now another iOS bug has been uncovered by security researcher @pwnsdx, which is able cause a full device kernel panic on the device, causing the device to crash. It relies on a snippet of HTML and CSS that has to be sent to the target device in order to crash it. Unlike many similar bugs we have seen in this past this bug’s affects are not limited to just crashing the SpringBoard as it causes a kernel panic.
This bug affects iOS devices that can interpret background-filter effect, which includes all modern iOS devices since support for this was introduced with iOS 7. When the web code snippet with HTML lots of div elements and few lines of CSS is sent to a target device it applies a computer blur effect to every element on the page. This puts a lot of load on the webKit renderer, causing the system to crash with a kernel panic. The device crashes, displays the Apple boot logo and reboots.
— Sabri (@pwnsdx) September 15, 2018
To target a device the HTML and CSS code needs to be placed on a URL and sent over to a user. But for the attack to succeed user has to open the link in the web browser. This makes the bug less annoying than the iMessage bugs as they were initiated as soon as you opened the message.
The bug appears to be affecting both iOS 11 and iOS 12, and can also cause desktop browsers to freeze. As the bug has now become public, we hope Apple will fix it in the final version of iOS 12 and release a patch for iOS 11.
For those interested, full source code for the bug is available on GitHub here. You can trigger the bug by opening ‘safar-reaper.html’ on the page.