JavaScript-Based Safari Ransomware Exploit Patched in iOS 10.3
iOS 10.3, released to the public this morning, fixes a bug that allowed scammers to attempt to extort money from iOS users through a JavaScript pop-up in Safari.
As explained by mobile security firm Lookout (via Ars Technica), the scammers targeted iOS users viewing pornographic material and abused JavaScript pop-ups to create an endless pop-up loop that essentially locked the browser if the user didn't know how to bypass it.
Using "scareware" messages and posing as law enforcement, the scammers used the pop-ups to extort money in the form of iTunes gift cards from the victim, promising to unlock the browser for a sum of money.
The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be "locked" out from using Safari unless they paid a fee -- or knew they could simply clear Safari's cache (see next section). The attack was contained within the app sandbox of the Safari browser; no exploit code was used in this campaign, unlike an advanced attack like Pegasus that breaks out of the app sandbox to install malware on the device.
The scammers registered domains and launched the attack from the domains they owned, such as police-pay[.]com, which the attackers apparently named with the intent of scaring users looking for certain types of material on the Internet into paying money.
The endless pop-up issue could be fixed by clearing the Safari cache, but many users likely did not know they didn't need to shell out money to regain access to their browsers.
Pop-up scams are no longer possible with iOS 10.3, as Apple has changed the way pop-up dialogs work. Pop-ups are now per-tab and no longer take over the entire Safari app.
Popular Stories
Apple is expected to announce iOS 18 during its WWDC keynote on June 10, and new features have already been rumored for many apps, including Apple Music, Apple Maps, Calculator, Messages, Notes, Safari, and others. Below, we recap iOS 18 rumors on a per-app basis, based on reports from MacRumors, Bloomberg's Mark Gurman, and others: Apple Maps: At least two new Apple Maps features are...
With the 10th anniversary of the Apple Watch approaching, we thought it would be fun to take a look back at an interesting bit of Apple Watch history. After the Apple Watch was announced in 2014, and before it became available in 2015, Apple sent out custom Apple Watch iPad demo kiosks to retail stores. The Apple Watch and iPad units used for these devices were specially designed, had custom ...
While Apple's upcoming iPad Pro models have been expected to feature the M3 chip for over a year, recent reports have unexpectedly suggested that the new devices will instead feature the as-yet-unannounced M4 chip. Subscribe to the MacRumors YouTube channel for more videos. Last week, Bloomberg's Mark Gurman said that he now believes there is a "strong possibility" that the upcoming iPad Pro ...
An in-depth Bloomberg report today resurfaced General Motors' decision to replace Apple CarPlay with its own software. Last year, GM announced that it planned to forgo Apple CarPlay in its new electric vehicles, starting with the 2024 Chevrolet Blazer EV. Instead, the automaker introduced a proprietary infotainment platform, aiming to control and customize the digital experience within its...
Just over six months ago, Apple supply chain analyst Ming-Chi Kuo said the likelihood of a new Apple Watch Ultra being released in 2024 was "decreasing," but it now sounds like there will be an Apple Watch Ultra 3 this year after all. In a direct message shared with MacRumors today, Kuo said that while the Apple Watch Ultra will be updated this year, the new model will have "almost no"...
Top Rated Comments
Good luck suing the makers of door locks or plate glass for "allowing" a burglar to pick the lock or break a window. Good luck suing the police for "allowing" the break-in. Good luck suing the telephone company for "allowing" a scammer to place a call, or the city for "allowing" a scammer to ring your doorbell. Failing to provide 100% safety is not the same as "allowing" a crime to occur.
The creators of these browser scams find weaknesses in the software. The developers of browsers plug the weaknesses. That's the same cat-and-mouse game you find anywhere there's crime.
Browsers are a particularly good target because, among other things, browsers are expected to correctly display web pages, regardless of who created that web page. Open Internet, and all that. You want a guarantee of 100% safety? Don't use the Internet.
I love the diversity around here. Some people complain that Apple's software allowed a scam to occur. Apple (presumably) attends to their needs by issuing software updates to combat the scams. Others are all up in arms, "How dare Apple force these updates upon us!"
the moment user have a choice in that, people will never update their OS and it just goes downhill from there.
Sometimes I run out of storage and Apple still sends the signal to download the iOS update.