JavaScript-Based Safari Ransomware Exploit Patched in iOS 10.3

iOS 10.3, released to the public this morning, fixes a bug that allowed scammers to attempt to extort money from iOS users through a JavaScript pop-up in Safari.

As explained by mobile security firm Lookout (via Ars Technica), the scammers targeted iOS users viewing pornographic material and abused JavaScript pop-ups to create an endless pop-up loop that essentially locked the browser if the user didn't know how to bypass it.


Using "scareware" messages and posing as law enforcement, the scammers used the pop-ups to extort money in the form of iTunes gift cards from the victim, promising to unlock the browser for a sum of money.

The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be "locked" out from using Safari unless they paid a fee -- or knew they could simply clear Safari's cache (see next section). The attack was contained within the app sandbox of the Safari browser; no exploit code was used in this campaign, unlike an advanced attack like Pegasus that breaks out of the app sandbox to install malware on the device.

The scammers registered domains and launched the attack from the domains they owned, such as police-pay[.]com, which the attackers apparently named with the intent of scaring users looking for certain types of material on the Internet into paying money.

The endless pop-up issue could be fixed by clearing the Safari cache, but many users likely did not know they didn't need to shell out money to regain access to their browsers.

Pop-up scams are no longer possible with iOS 10.3, as Apple has changed the way pop-up dialogs work. Pop-ups are now per-tab and no longer take over the entire Safari app.

Top Rated Comments

(View all)
Avatar
47 months ago
Great news. These pop-up loops are the worst thing and they don't belong in 2017. Now Apple needs to prevent Safari ads from automatically taking you to the App Store for some crappy IAP fest game.
Score: 48 Votes (Like | Disagree)
Avatar
47 months ago
Finally, I can search for porn again.
Score: 19 Votes (Like | Disagree)
Avatar
47 months ago

I think it's all on apple to stop these scams and also refund anyone duped by them, because they've allowed a third party to effectively break the device and allow the scam to work.

"Allowed" how? Did they give the scammers instructions on how to "break" the device?

Good luck suing the makers of door locks or plate glass for "allowing" a burglar to pick the lock or break a window. Good luck suing the police for "allowing" the break-in. Good luck suing the telephone company for "allowing" a scammer to place a call, or the city for "allowing" a scammer to ring your doorbell. Failing to provide 100% safety is not the same as "allowing" a crime to occur.

The creators of these browser scams find weaknesses in the software. The developers of browsers plug the weaknesses. That's the same cat-and-mouse game you find anywhere there's crime.

Browsers are a particularly good target because, among other things, browsers are expected to correctly display web pages, regardless of who created that web page. Open Internet, and all that. You want a guarantee of 100% safety? Don't use the Internet.

I love the diversity around here. Some people complain that Apple's software allowed a scam to occur. Apple (presumably) attends to their needs by issuing software updates to combat the scams. Others are all up in arms, "How dare Apple force these updates upon us!"
Score: 8 Votes (Like | Disagree)
Avatar
47 months ago

And I hope Apple can STOP the automatic update downloads.
Sometimes I run out of storage and Apple still sends the signal to download the iOS update.

as a developers, i hope they will continue with the automatic update.

the moment user have a choice in that, people will never update their OS and it just goes downhill from there.
Score: 7 Votes (Like | Disagree)
Avatar
47 months ago
And I hope Apple can STOP the automatic update downloads.
Sometimes I run out of storage and Apple still sends the signal to download the iOS update.
Score: 4 Votes (Like | Disagree)
Avatar
47 months ago

There is a switch to stop app updates, but that doesn't include iOS itself? Unfortunate that Apple hasn't provided user control over that yet, but they do provide a way of deleting the downloaded update now.

https://www.igeeksblog.com/how-to-remove-software-update-download-from-iphone-ipad/

Except they force the download on you again as soon as you are connected to a Wifi Network, not only wasting space on your phone but wasting your download quotas on wifi - something extremely annoying and expensive if you live in a rural area, or are using hotel wifi. How about just having an opt-out option, or at least not immediately downloading it again if it is deleted.
Score: 4 Votes (Like | Disagree)

Top Stories

Apple References Unreleased 2020 16-Inch MacBook Pro in Boot Camp Update

Monday October 26, 2020 8:42 am PDT by
Last week, Apple released an update for Boot Camp, its utility for running Windows on a Mac. While this update would typically be unremarkable, several of our readers noticed that the release notes reference an unreleased 2020 model of the 16-inch MacBook Pro. While this could easily be a mistake, the 16-inch MacBook Pro is nearly a year old, so it is certainly a worthy candidate for a...

Google Reportedly Pays Apple $8-12 Billion Per Year to be Default iOS Search Engine

Sunday October 25, 2020 2:59 pm PDT by
The United States Justice Department is targeting a lucrative deal between Apple and Google as part of one of the U.S. government's largest antitrust cases, reports The New York Times. On Tuesday, the Justice Department filed an antitrust lawsuit against Google, claiming the Mountain View-based company used anticompetitive and exclusionary practices in the search and advertising markets to ...

iPhone 12 Pro Allows You to Measure Someone's Height Instantly Using LiDAR Scanner

Saturday October 24, 2020 11:12 am PDT by
iPhone 12 Pro models feature a new LiDAR Scanner for enhanced augmented reality experiences, but the sensor also enables another unique feature: the ability to measure a person's height instantly using the Measure app. You can even measure the seated height of a person in a chair, according to Apple. When the Measure app detects a person in the viewfinder, it automatically measures their...

MagSafe Charger Only Charges at Full 15W Speeds With Apple's 20W Power Adapter

Monday October 26, 2020 3:38 pm PDT by
Alongside the iPhone 12 and 12 Pro models, Apple introduced a new MagSafe charger that attaches to the magnetic ring in the back of the devices, providing up to 15W of charging power, which is double the speed of the 7.5W Qi-based wireless charging maximum. Apple does not provide a power adapter with the $39 MagSafe charger, requiring users to supply their own USB-C compatible option. Apple...

Early iPhone 12 Tests Show Ceramic Shield is Stronger and More Scratch Resistant Than iPhone 11 Glass

Friday October 23, 2020 1:21 pm PDT by
Apple's new iPhone 12 models are protected by a Ceramic Shield cover glass that has nano-ceramic crystals infused right into the glass to improve durability. According to Apple, Ceramic Shield offers four times better drop protection than the glass used for the iPhone 11 models. YouTube channel MobileReviewsEh conducted some tests on the iPhone 12 using a force meter to compare its performance ...

iPhone 12 Six-Foot Drop Test Results: Ceramic Shield More Durable But Not Damage Proof

Monday October 26, 2020 5:00 am PDT by
Apple's new iPhone 12 and iPhone 12 Pro feature a new Ceramic Shield screen that Apple says offers 4x better drop performance. To test that claim, Allstate Protection Plans put the two models through a range of breakability tests and recorded the results. In a face down sidewalk drop test at six feet, the iPhone 12 suffered small cracks and scuffed corners and edges, leaving sharp grooves in ...

Bloomberg: New AirPods and AirPods Pro Coming in 2021, AirPods Studio Delayed, Third HomePod Model Also Possible

Monday October 26, 2020 3:34 am PDT by
Apple plans to update its AirPods line next year with two new models including third-generation AirPods and second-generation AirPods Pro, according to a new report from Bloomberg. The Cupertino, California-based technology giant is working on two new models: third-generation entry-level AirPods and the second version of the AirPods Pro earbuds, according to people familiar with the plans. ...

Report: Apple Silicon iMac Featuring Desktop Class 'A14T' Chip Coming First Half of 2021

Tuesday October 27, 2020 4:14 am PDT by
The first iMac powered by Apple Silicon is set to arrive in the first half of next year and will feature a desktop class "A14T" chip, according to Chinese-language newspaper The China Times. Codenamed "Mt. Jade," Apple's first custom-made desktop processor will be twinned with its first self-developed GPU, codenamed "Lifuka," both of which are being produced using TSMC's 5-nanometer process, ...

iPhone 11 Pro Outlasts iPhone 12 and 12 Pro in Extensive Battery Life Test

Friday October 23, 2020 8:36 am PDT by
Arun Maini today shared a new side-by-side iPhone battery life video test on his YouTube channel Mrwhosetheboss, timing how long the new iPhone 12 and iPhone 12 Pro models last on a single charge compared to older models, with equal brightness, settings, battery health, and usage. All of the devices are running iOS 14 without a SIM card inserted. In the test, the iPhone 11 Pro outlasted both ...

Apple Warns MagSafe Charger Can Leave Circular Imprints on Leather Cases

Friday October 23, 2020 3:23 pm PDT by
If you keep your iPhone in a leather case while charging with Apple's new MagSafe Charger, the case might show circular imprints from contact with the accessory, according to a new Apple support document published today. Apple's leather cases for the iPhone 12 and iPhone 12 Pro are not available until November 6, but a MacRumors reader has already shared a photo of a circular imprint on...