Apple aware of Crash Safari code, looking into a fix

There's a web page out there called Crash Safari that uses JavaScript to put your browser into a loop, crash it, and potentially crash your device as well. Apple is aware of the page — and more importantly, the code — and is looking into a fix.

The internet being the internet, however, pranksters are already circulating the prank using URL shorteners and redirects through social networks, links, and email, to try and deliberately crash other people's browsers. So, until the fix is released, make sure you follow the same safety tips that apply to any form of phishing attack:

  1. On iOS, touch-and-hold (long press) on a text link to see the full URL. If you have an iPhone 6s or 6s Plus, don't press hard enough to open the 3D Touch preview, as that will execute the code and crash Safari.
  2. On OS X, hover over a text link to see the full URL.
  3. Avoid shortened links. You never know what might be behind them.
  4. Don't tap or click on any link that seems suspicious in any way — that's just good safety practice anyway.

As always, there's no need to worry, just be aware. Hopefully the fix will be out shortly. In the meantime, surf safe!

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • The code is: var total = "";
    for( var i = 0; i < 100000; i++ ) {
    total = total + i.toString();
    history.pushState(0,0, total );
    } For anyone interested
  • A loop that loops 100 thousand times adding 100 thousand entries to your browser's history. It basically consumes all of the system RAM on iOS and causes the OS to crash. On desktops it continues to eat system RAM until you forcefully kill the process. There's nothing malicious about using the history.pushState() Javascript API, what does make it malicious is how many times the loop happens. The only way that I can think of that be done to guard against this kind of thing happening again is to limit the amount of times that a call to the history.pushState() API can be executed per page instance and if it exceeds that amount the script is automatically killed.
  • All WebKit based browsers are vulnerable to this issue. It doesn't matter if it's Google Chrome, Safari, Vivaldi, SRWare Iron, etc. If it uses WebKit code, it's vulnerable.
  • Posted from my Nexus 6P
  • So what? It crashes all WebKit browsers including Chrome.
  • Doesn't crash Chrome when I go to it. Posted via the iMore App for Android
  • Site doesn't even open for me. Posted via the iMore App for Android
  • Can't open it either on Chrome.
  • "This page not available" Is what I get opening in Chrome
  • Nice work
  • "Apple is aware of the page — and more importantly, the code — and is looking into a fix." Bullsh*t!! Where's your source? Who told you they are aware and are looking into it? Rene, quite being an Apple shill. Sucking up to them like this won't get you more "exclusive reviews" and if it does, what's the point of trading your self-worth and integrity to suck up to Apple for the review scraps? Why not be truly objective and let Apple's f-ups show up as such instead of justifying *everything*? I've noticed that *every* time something remotely negative comes out, you're the first one to jump out and defend them, just like the guys who go "not all men..." at the first hint of generalization. Defending them like this is detrimental to Apple's current and future products. Maybe you should let them sweat a little instead of defending them at any cost. Have some integrity.
  • It crashes Chrome and Firefox on Android and PCs too. So if it's Apples f-up, then Google and Mozilla f-uped too. Is that really what you want? Or did you just want to have a little cry about it?
  • Nope it doesn't. Went to crash safari . com on my nexus 6p and it didn't crash chrome on that. Might crash on other devices haven't checked yet. Posted via the iMore App for Android
  • j3111834 = ****
  • Remember, as Rene said on MacBreak Weekly, he's concerned about staying on message in concert with Apple. This is no surprise.
  • You think you're the only one who reads Apple news on the Internet? Of course Apple's aware of it! Would you feel better if Rene said 'according to an unnamed source?' Also not sure it's Apple's f-up for not patching a vulnerability in JavaScript.
  • I think the point is how do we know? You're assuming. But a journalist can't post assumptions. Has Apple spoken out about the issue to let us know they are looking into a fix?
  • While we wait for Apple to release a new update, there is a quick fix for that
  • It's not really a quick fix when most people don't have a jailbroken device