Today, Apple has become one of the most valuable companies in the world. Its products and devices such as iPhone, iPad, and Mac computers are owned by millions of people worldwide. However, being a leading company in the IT industry does not make Apple products immune from attacks.
A security researcher named Sabri Haddouche revealed a proof-of-concept (PoC) by creating a web page containing an exploit that uses only a few lines of specially crafted CSS & HTML code. If the web page is visited, it will cause a full device kernel panic and an entire system reboot. The source code of the CSS & HTML web page that causes this attack can be seen on his GitHub page.
The attack exploits a weakness in Apple’s web rendering engine WebKit. It is unable to properly load multiple elements such as “div” tags inside a backdrop filter property in CSS. Thus, Sabri created a web page that uses up all of the device’s resources, causing shut down and restart of the device due to kernel panic.
All web browsers that can operate in iOS and macOS, including Google Chrome, Safari, and Microsoft Edge use the WebKit rendering engine, so they are vulnerable to this CSS-based web attack. The WebKit vulnerability has already been reported to Apple, and the company is investigating this issue and working on a fix to address it on a future release.
As one of the IT security experts in Indonesia, Defender Nusa Semesta (DNS) hopes that this article makes you aware of the possible attacks that can be executed via the web. Therefore, we recommend that all Apple users should be extra careful when visiting any web page or clicking any links/URL. You should thoroughly check these links before clicking, if they look suspicious, do not click them!