CSS-Based Attack to Restart iPhone

As researcher noted, all applications that handle HTML are under threat
17 September 2018   369

The developer and cyber security specialist Sabri Haddouche found that 15 lines of CSS code running on iOS cause the kernel to crash and reboot the device. On the macOS after the clicking on the "overloaded" link, the browser may freeze. All versions of iOS, including the latest update 11.4.1, as well as iOS 12, which is currently undergoing beta testing are vulnerable.

Haddouche published a PoC code on GitHub. It exploits a vulnerability in the WebKit web rendering engine. Placement of a large number of tags (for example, a div) inside the CSS property of backdrop-filter results in all the device resources being used to render the page. This causes a crash in the kernel, and the system starts a reboot to prevent it from corrupting.

The developer notified Apple of the vulnerability, and the company began an internal investigation.

As Haddouche noted in a conversation with TechCrunch, all applications that handle HTML are under threat. You can cause a failure through an e-mail message or a link to an "overloaded" web page. The attack does not allow executing malicious code and does not allow an attacker to access the device data, however, according to experts, it will be difficult to find a way to prevent it.

CSS is a tool for designing web content written primarily in HTML. However, specialists from time to time discover that it allows, for example, to collect confidential user like passwords or track actions on the web.

Google to Announce .dev Top-Level Domain

Application acception for a new domain will begin in January 2019
13 November 2018   263

At the summit of developers Chrome Dev Google representatives briefly announced the imminent opening of the registration of names for the top-level domain .dev. Application acception will begin in January 2019.

From January 16 to February 19, 2019, brand and trademark owners will have the opportunity to register a domain name with their trademark. From February 19 to 28 there will be an early access stage with a higher price. And from February 28, access will be open to anyone.

As noted, the .dev domain, like the previously opened .app, will receive support for the HTTPS protocol by default. A more detailed description of the domain zone is available on the official website.

In May 2018, Google announced the public registration in the domain zone .app - in the first top-level domain, which allows only secure connections. And in October 2018, early registration began in the .page zone. Unlike .app and .dev, which are designed for developers, the .page zone is focused on personal pages, business and thematic sites. The domain also supports only secure channels.