Crashing Safari: beware of shortened URLs

Australia’s Stay Smart Online has issued an alert warning of how a Social media prank crashes Apple Safari. The browser freeze is caused by a snippet of looping JavaScript that keeps calling the history.pushState() method in the HTML5 API. The attack – as far as I’m concerned, it’s a Trojan, not a prank, even if its effects are usually inconvenient rather than critical (though they could result in lost data) – does affect other browsers to an extent, but Safari seems to be particularly susceptible (on OS X and on iOS). According to 9To5Mac, it freezes on Macs and may require a system restart to recover, while

“On some iPhones and iPads, the glitch may cause your iOS device to reboot.”

Stay Smart Online observes that:

1. Current Chrome tabs will stop responding but the web browser will continue to work
2. Firefox will catch the malicious code and ask if the user wants to stop it executing.
3. Internet Explorer will temporarily stop working, but resume working after a short time.

The site is helpfully named crashsafari.com, but it appears that ‘trolls’ are directing their victims to it using shortened URLs such as bit.ly, t.co and tinyURL. Yet another reason for not following shortened URLs where you can’t preview the real URL.

David Harley