MobileNews

Apple WebKit bugs on iOS and macOS allowed 1B scam popup ads on websites

More than a billion scam popup ads were served thanks to bugs in Apple’s WebKit and the open-source Blink frameworks which power Safari and Chrome on iOS and macOS…

Scam popup ads are one of the biggest headaches for web publishers. Scammers manage to get malicious ads into mainstream ad networks like Google, which means they then pop up all over the web – but web visitors naturally suspect the website itself is at fault.

Websites can block the offending ads, but only after they have already been served and reported.

Ad security company Confiant notes that the specific exploits used have been blocked in iOS 13 and Safari 13.0.1.

We have written about the threat actor eGobbler extensively on our blog over the last year as they’ve continued to emerge as a prolific source of malvertising. It’s not uncommon for their campaigns to compromise up to hundreds of millions of programmatic ad impressions in a matter of hours and the impact from their ongoing activity is felt across the United States and Europe.

Over the past 6 months, the threat group has leveraged obscure browser bugs in order to engineer bypasses for built-in browser mitigations against pop-ups and forced redirections.

This blog post will provide overviews and proof of concepts for both browser exploits. The first exploit that we reported on April 11, 2019 impacts Chrome versions prior to 75 on iOS. The second, which we reported on Aug. 7 was fixed in iOS 13 / Safari 13.0.1 on Sept. 19, impacts WebKit based browsers.

The firm discovered the Chrome bug first, then the WebKit one. It reported these to both Apple and Chrome security teams in early August. Chrome provided a patch a few days later, while Apple fixed it as part of iOS 13 and Safari 13.0.1.

This is another good reason to keep your devices updated, but of course, as fast as one security loophole is closed, the bad guys find a new one, making it a constant battle.

is among the many websites hit by these scam popup ads, served via Google ads. We block them as fast as they are reported, as does Google, but it’s an ongoing game of whack-a-mole.

Check out 9to5Mac on YouTube for more Apple news:

Check out the latest Apple iPhones at great prices from Gizmofashion – our recommended retail partner.


Author: Ben Lovejoy
Source: 9TO5Mac

Related posts
AI & RoboticsNews

Nvidia and DataStax just made generative AI smarter and leaner — here’s how

AI & RoboticsNews

OpenAI opens up its most powerful model, o1, to third-party developers

AI & RoboticsNews

UAE’s Falcon 3 challenges open-source leaders amid surging demand for small AI models

DefenseNews

Army, Navy conduct key hypersonic missile test

Sign up for our Newsletter and
stay informed!