CrashSafari web link targets other browsers too
Prank website CrashSafari(dot)com has been causing headaches to Mac OS X and iOS users. Upon visiting the website, Apple Safari on Mac computers will simply crash,, however, when opening the same URL on an iPhone or iPad, iOS device owners are forced to reboot.
The website, as mentioned earlier, has been created most likely as a prank, and no malicious or dangerous effects have been reported after rebooting devices, or on any desktop systems.
Effects
The nature of the prank lies in a relatively simple Javascript snippet that generates a random, and very long URL in the address bar, in an attempt to force the CPU to work overtime and crash the browser, as well as the host system, the latter of which may or may not occur, depending on the resources available.
In our case, we have tested the URL on four different browsers running on a Microsoft Windows 10, 3.5GHz AMD Athlon custom workstation, with 32GB of RAM. All browsers we have tested, including Google Chrome, Microsoft Edge, Tor/Mozilla Firefox, and of course, Apple Safari, have met a similar fate, upon launching the link. Each browser froze, and became unresponsive, which is to be expected on a website designed to progressively call more resources overtime, which in turns increases the workload of the CPU.
The only browser that retained the ability to at least display a popup warning asking if the current running script should be stopped, was Tor/Firefox, although clicking on the popup did not have any effect.
While desktop computers like Windows 10 laptops, MacBooks or iMacs will be capable of limiting the effects from the high-CPU usage to freezing the browser, iOS and Android devices are not so lucky.
iPad and iPhone devices, as well as android phones and tablets can be especially vulnerable to this type of attack, and the impact on the CPU will be so overwhelming, at least on some systems, that the device will leave the owner no choice but force-reboot, however we have noticed this type of behavior seems to be more common on iOS devices than on Android, with no word yet on its impact on Windows 10 phones.
On high-end Samsung phones like the Galaxy Note 5, for instance, the link will still allow the user to shut down Google Chrome, with no other negative effects on the system.
How it’s done
Upon a quick inspection of the code that makes CrashSafari(dot)com, reveals two things, the first being a Google Analytics tracking code, which makes sense, as anybody pulling a similar prank would be at least a little curious about who is actually falling for it. The second thing we have noticed is the relative simplicity with which one can crash a browser, and cause a mobile device to crash.
The feat was accomplished with five lines of Javascript:
- var total =””;
- for( var i = 0; i < 100000; i++) {
- total = total + i.toString();
- history.pushState(0,0, total );
- }
The second line (starting with “for...”) is designed to generate a huge random number, while the fourth line (starting with “history.pushState...”) will take that number and push it to the address bar, effectively flooding the address bar with numeric junk, progressively driving up CPU usage.
Based on this, we can gather that the attack is not simply aimed at Safari, as the code runs “just fine” in every browser running Javascript.