JavaScript-Based Safari Ransomware Exploit Patched in iOS 10.3
iOS 10.3, released to the public this morning, fixes a bug that allowed scammers to attempt to extort money from iOS users through a JavaScript pop-up in Safari.
As explained by mobile security firm Lookout (via Ars Technica), the scammers targeted iOS users viewing pornographic material and abused JavaScript pop-ups to create an endless pop-up loop that essentially locked the browser if the user didn't know how to bypass it.
Using "scareware" messages and posing as law enforcement, the scammers used the pop-ups to extort money in the form of iTunes gift cards from the victim, promising to unlock the browser for a sum of money.
The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be "locked" out from using Safari unless they paid a fee -- or knew they could simply clear Safari's cache (see next section). The attack was contained within the app sandbox of the Safari browser; no exploit code was used in this campaign, unlike an advanced attack like Pegasus that breaks out of the app sandbox to install malware on the device.
The scammers registered domains and launched the attack from the domains they owned, such as police-pay[.]com, which the attackers apparently named with the intent of scaring users looking for certain types of material on the Internet into paying money.
The endless pop-up issue could be fixed by clearing the Safari cache, but many users likely did not know they didn't need to shell out money to regain access to their browsers.
Pop-up scams are no longer possible with iOS 10.3, as Apple has changed the way pop-up dialogs work. Pop-ups are now per-tab and no longer take over the entire Safari app.
Popular Stories
The European Parliament today voted overwhelmingly in favor of enforcing USB-C as a common charging port across a wide range of consumer electronic devices, including the iPhone and AirPods, by the end of 2024.
The proposal, known as a directive, forces all consumer electronics manufacturers who sell their products in Europe to ensure that a wide range of devices feature a USB-C port. This...
iOS 16 was released to the public three weeks ago with a customizable Lock Screen, the ability to edit iMessages, improvements to Focus modes, and much more. And in the coming months, iPhone and iPad users have even more new features to look forward to.
We've rounded up 10 new features coming to the iPhone and iPad later this year, according to Apple. Many of the features are part of iOS...
Apple is developing new iPad Pro, Mac, and Apple TV models, and at least some of these products will be released in October, according to Bloomberg's Mark Gurman. However, Gurman continues to believe that Apple is unlikely to hold an event this month.
In the latest edition of his Power On newsletter, Gurman said "the big iPhone 14 unveiling last month was probably it for Apple in 2022 in...
iOS 16.0.2 was released last month with several bug fixes for iPhone 14 issues, excessive copy and paste permission prompts, and more. Now, evidence suggests that Apple is planning to release iOS 16.0.3 with additional bug fixes.
Evidence of an upcoming iOS 16.0.3 software update has shown up in MacRumors analytics logs, which have been a reliable indicator in the past.
There are several...
As of October 1, Apple SIM is no longer available for activating new cellular data plans on supported iPad models, according to an Apple support document.
Introduced in 2014, the Apple SIM was designed to allow iPad users to activate cellular data plans from multiple carriers around the world. Initially, the Apple SIM was a physical nano-SIM card, but it was embedded inside later iPad Pro...
Apple on September 23 officially launched the second-generation version of the AirPods Pro, introducing updated Active Noise Cancellation, Adaptive Transparency, improved sound, and more. Right around the same time, Bose introduced new QuietComfort II earbuds with many similar features, so we thought we'd compare the two to see which has the edge.
Subscribe to the MacRumors YouTube channel for ...
YouTube may make watching videos in 4K quality on the platform exclusive to only YouTube Premium subscribers, according to screenshots posted by users on Twitter and Reddit.
On Reddit (1,2) and Twitter, some users have started to recently notice that on iOS, and presumably across other platforms also, YouTube is now saying that in order to watch videos in 4K, the user must be a paying...
In a new interview, Apple's senior vice president of software engineering, Craig Federighi, and Apple's vice president of human interface design, Alan Dye, sat down to discuss the thinking behind the iPhone 14 Pro's Dynamic Island and how it was developed.
During the interview with the Japanese magazine Axis, Federighi, who oversees the development of iOS, said Dynamic Island represents the...
Top Rated Comments
Good luck suing the makers of door locks or plate glass for "allowing" a burglar to pick the lock or break a window. Good luck suing the police for "allowing" the break-in. Good luck suing the telephone company for "allowing" a scammer to place a call, or the city for "allowing" a scammer to ring your doorbell. Failing to provide 100% safety is not the same as "allowing" a crime to occur.
The creators of these browser scams find weaknesses in the software. The developers of browsers plug the weaknesses. That's the same cat-and-mouse game you find anywhere there's crime.
Browsers are a particularly good target because, among other things, browsers are expected to correctly display web pages, regardless of who created that web page. Open Internet, and all that. You want a guarantee of 100% safety? Don't use the Internet.
I love the diversity around here. Some people complain that Apple's software allowed a scam to occur. Apple (presumably) attends to their needs by issuing software updates to combat the scams. Others are all up in arms, "How dare Apple force these updates upon us!"
the moment user have a choice in that, people will never update their OS and it just goes downhill from there.
Sometimes I run out of storage and Apple still sends the signal to download the iOS update.