Apple WebKit bugs on iOS and macOS allowed 1B scam popup ads on websites

More than a billion scam popup ads were served thanks to bugs in Apple’s WebKit and the open-source Blink frameworks which power Safari and Chrome on iOS and macOS

Author Ad Placeholder
Will only appear on redesign env.

Scam popup ads are one of the biggest headaches for web publishers. Scammers manage to get malicious ads into mainstream ad networks like Google, which means they then pop up all over the web – but web visitors naturally suspect the website itself is at fault.

Websites can block the offending ads, but only after they have already been served and reported.

Ad security company Confiant notes that the specific exploits used have been blocked in iOS 13 and Safari 13.0.1.

We have written about the threat actor eGobbler extensively on our blog over the last year as they’ve continued to emerge as a prolific source of malvertising. It’s not uncommon for their campaigns to compromise up to hundreds of millions of programmatic ad impressions in a matter of hours and the impact from their ongoing activity is felt across the United States and Europe.

Over the past 6 months, the threat group has leveraged obscure browser bugs in order to engineer bypasses for built-in browser mitigations against pop-ups and forced redirections.

This blog post will provide overviews and proof of concepts for both browser exploits. The first exploit that we reported on April 11, 2019 impacts Chrome versions prior to 75 on iOS. The second, which we reported on Aug. 7 was fixed in iOS 13 / Safari 13.0.1 on Sept. 19, impacts WebKit based browsers.

The firm discovered the Chrome bug first, then the WebKit one. It reported these to both Apple and Chrome security teams in early August. Chrome provided a patch a few days later, while Apple fixed it as part of iOS 13 and Safari 13.0.1.

This is another good reason to keep your devices updated, but of course, as fast as one security loophole is closed, the bad guys find a new one, making it a constant battle.

9to5Mac is among the many websites hit by these scam popup ads, served via Google ads. We block them as fast as they are reported, as does Google, but it’s an ongoing game of whack-a-mole.


FTC: We use income earning auto affiliate links. More.

totallee clear case iphone 11
You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Photo: Shutterstock

Check out 9to5Mac on YouTube for more Apple news:



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear