What were you expecting?
It crashes the browser by writing thousands of characters in the address bar every second, exhausting memory.
The attack is just four lines of code, and can cause an iPhone or Android phone to crash both Safari or Chrome, or reboot the entire phone itself. It even works against some desktop browsers, depending on how much RAM and CPU the machine has available.
It leverages HTML5’s history.pushState, a JavaScript function used by many single page applications to update the address bar, even though the underlying page being viewed doesn’t change.
People are sending the link around on social media disguised by a short URL, to trick others into opening it and cause them to be unable to open their browsers until a reboot is completed.
Matt Lorence says
Knowing exactly what to expect, I'm kind of tempted to try it anyway…
Paul Spoerry says
Let me know how it works +Matt Lorence. I was tempted too. My laptop has 16g so if it's just memory that would knock out a desktop browser I might be ok with trying.
Steve Vance says
It could be bad if someone where to link shorten it and send it to unsuspecting people.
Matt Lorence says
Took about 4 seconds to lock up, and I had to hold the power button on my computer to reset.
It's a 6 year old 32 bit box running windows 7 pro.
I'm waiting on IT to bring me something not forged in the bronze age.
address bar just started filling with consecutive numbers, I locked up at crashsafari .com/123456789101112131415161718192021222324252627282930313233343536
Paul Spoerry says
+Steve Vance Apparently that's how it's being distributed. I saw an article after I'd posted this that showed URL shortening services with the number of clicks.
+Matt Lorence Eh gad… 32bit!? When I get done working I'll shut mine down and give it a shot.
Steve Vance says
Them bastards
Thomas Wrobel says
Interesting. Should be pretty easy to patch though so I wouldnt expect it working for long.
Matt Lorence says
+Paul Spoerry I know….
What's spurring the upgrade is the discontinued support of the 32 bit version of the CAM software I use daily. Icing on the cake is the already ended support of 32 bit systems for Solidworks. I can't even use their solid viewer.
Paul Spoerry says
So I shut down Chrome and fired up an Incognito Windows and tested this on my i7 with 16gb of memory. After running for a bit I saw a "Page Unresponsive" pop in my taskbar but I couldn't click on it. Even after seeing Chrome state the page was unresponsive I continued to see the memory use climb and climb. I didn't let it gobble everything up and finally killed it when it climbed past 12gb of ram usage. I was able to simply kill the browser and everything went back to normal. Screenshot: http://imgur.com/ea7U2ZO
I think +Thomas Wrobel is right in that we'll see the major browser makers put in a check that'll prevent this in the near future.
I know the feeling +Matt Lorence (it's painful on my end) of having to move things. Our IT guys are making us migrate all software off of older versions of Windows Server and SQL Server. It totally makes sense and part of me is looking forward to the new stuff… but migrating everything is a complete pain in the ass.