A security researcher has discovered a new so-called “text bomb” that can cause iOS and other devices to kernel panic and forcibly restart.
Sabri Haddouche (@pwnsdx) on Saturday tweeted a link to a webpage containing a proof-of-concept attack, dubbed “Safari Reaper.”
The webpage contains a small snippet of HTML/CSS that can crash iOS devices — as well as Macs and other devices — if opened in a web browser.
In other words, an impacted device or will freeze up and reboot if the site is visited. In other more mild cases, it won’t cause a reboot but can force a “respring” of the user interface.
How to force restart any iOS device with just CSS? 💣
IF YOU WANT TO TRY (DON’T BLAME ME IF YOU CLICK) : https://t.co/4Ql8uDYvY3
— Sabri (@pwnsdx) September 15, 2018
How Does Safari Reaper Work?
The attack takes advantage of a flaw in Safari’s WebKit webpage rendering engine that can cause an impacted device to become overloaded. Basically, the attack involves nesting a lot of elements — in Haddouche’s case, over 3,000 <div> tags — in a backdrop filter property in CSS.
Because the attack relies on CSS, it can theoretically be hiding in any normal webpage. While it can’t be shared via SMS text message like some text bombs, the attack could hypothetically be embedded within an HTML email message. That could crash a device if that email is opened.
That is, essentially, hiding thousands of elements in a single line of code. And when a web browser goes to render the webpage with that code, it’ll use up all of a device’s memory resources and cause a kernel panic.
The attack has been shown to impact basically every recent version of Apple’s mobile operating system, from iOS 7 to the newly released iOS 12. Haddouche notes that the code affects “anything that renders HTML on iOS” — meaning that social media apps like Twitter and Facebook could be impacted by it.
The code can also crash and reboot macOS devices if the link is opened in Safari. According to at least one user, Safari on Mac may also attempt to automatically bring up the text bomb webpage again once the computer restarts. That could, in theory, cause perpetual crashing for some users.
Twitter user Robert Petersen also seemed to demonstrate that Apple Watch devices can also be affected if the webpage is opened in Safari.
Should You Be Worried?
Like most text bombs, the CSS attack is annoying and inconvenient. But thankfully, there’s little risk of long-term damage and your private data can’t be stolen.
The security researcher shared his findings with Apple on Friday. It’s likely that the Cupertino tech giant is currently investigating the problem and will release a fix in a future update.
But until a patch is introduced, there’s little that can be done to avoid the kernel panic or reboots.
As always, be vigilant about unsolicited links. If you’re having trouble getting a device to restart without crashing perpetually, try disconnecting it from the internet.