This site crashes Chrome, Firefox, and Safari, resets your iPhone and iPad

Browsers are complicated pieces of software designed to open websites. But sometimes those websites are designed to cause problems for browsers. That’s exactly what crashsafari.com was created for.

A simple script keeps adding characters into the browser’s address bar, overloading the app’s memory, causing it to hang and eventually crash. As its name implies, the site “crashes” Safari. In fact, if you use Safari for iOS, your mobile device will be affected as well. Chrome and Firefox struggle with crashsafari.com too. We did some testing across various browsers and platforms, and here is what we found (your mileage will vary depending on your browser version and device).

Safari is affected the most. Safari for OS X and iOS both freeze up, and you can’t navigate to any other URL. In fact, if you’re using Safari on iOS, your iPhone and iPad will likely reset: Your screen will go blank, you’ll see the Apple logo, and after a few seconds your device will come back to life as if nothing happened.

https://twitter.com/toptopt0p/status/691277239514742786

Chrome is also similarly affected. Chrome for Android, iOS, OS X, and Windows end up hanging and won’t let you use the browser. Chrome also won’t let you navigate to another website. That said, the problem appears to stay within Chrome: Your device shouldn’t be affected. If you’re on an older computer or mobile device, you may see different results.

Firefox for Android, iOS, Windows, and OS X all take a long while to load the site. On OS X and iOS, Firefox hangs and eventually crashes (some iPhone/iPad users will find their device resets as well). On Windows and Android, Firefox issues a warning for an “unresponsive script.” Stopping the script sometimes works, but other times the browser still ends up crashing.

The only major browser that handles the website without a hitch is Microsoft Edge. It loads the site immediately as if nothing were the matter:

Apple, Google, and Mozilla will likely want to change how their respective browsers react to such scripts. Indeed, Firefox clearly tries to stop the script in its tracks. That said, because there is no security concern here (an attacker can’t gain control of your device nor steal your data), we’re not expecting this to be fixed with any rapidity.

For those interested, here is the source code:

The first mention we could find of crashsafari.com was in April 2015 (a quick whois lookup confirms that’s when the domain was registered):

We've heard your concerns and have built http://t.co/WtrDcoo5Fz and http://t.co/nPS1oFMh5P so no browser goes unsupported!

— mandatory@infosec.exchange (@IAmMandatory) April 29, 2015

But after a Hacker News submission last week, it slowly began to pick up steam. By today, it had gone viral.

Wow. One “Crash Safari” short-link has been clicked on more than one hundred thousand times… pic.twitter.com/JqotjPiN1j

— F-Secure Labs (@FSLabs) January 25, 2016

We have contacted Apple, Google, and Mozilla for comment on how they plan to address this issue, if at all. We’ll update this article if we hear back.