The developer and cyber security specialist Sabri Haddouche found that 15 lines of CSS code running on iOS cause the kernel to crash and reboot the device. On the macOS after the clicking on the "overloaded" link, the browser may freeze. All versions of iOS, including the latest update 11.4.1, as well as iOS 12, which is currently undergoing beta testing are vulnerable.
Haddouche published a PoC code on GitHub. It exploits a vulnerability in the WebKit web rendering engine. Placement of a large number of tags (for example, a div) inside the CSS property of backdrop-filter results in all the device resources being used to render the page. This causes a crash in the kernel, and the system starts a reboot to prevent it from corrupting.
The developer notified Apple of the vulnerability, and the company began an internal investigation.
As Haddouche noted in a conversation with TechCrunch, all applications that handle HTML are under threat. You can cause a failure through an e-mail message or a link to an "overloaded" web page. The attack does not allow executing malicious code and does not allow an attacker to access the device data, however, according to experts, it will be difficult to find a way to prevent it.
CSS is a tool for designing web content written primarily in HTML. However, specialists from time to time discover that it allows, for example, to collect confidential user like passwords or track actions on the web.