According to ad security firm Confiant, security flaws in Apple’s WebKit as well as the Blink frameworks that power Chrome and Safari on macOS and iOS have led to over a billion scam pop-up ads being served.
These ads have become a major headache for web publishers. Nowadays, scammers are able to smuggle malicious ads into major networks, including Google.
Web visitors encounter them throughout the web, and mistakenly assume that they are being served by the websites they are visiting. Websites, meanwhile, are only able to block these ads after they have been displayed and reported.
Confiant said that the exploits in question were only blocked in Safari 13.0.1 and iOS 13. The firm added that over the past year, it had written about one of these scammers extensively on its blog.
The company, which calls itself eGobbler, has emerged as a very active source of ‘malvertising’, and its ad campaigns often compromise hundreds of millions of ad impressions. Web visitors throughout the US and Europe are regularly impacted by its activities.
Since April this year, the threat group has on several occasions exploited little-known browser bugs to sidetrack built-in browser protections against forced redirections and pop-ups. Confiant first reported one of these exploits on 11th April. This particular one affected Chrome versions before 75 running on Apple’s iOS.
The second one, which impacted WebKit-based browsers, was reported on 7th August and was only fixed on 19th September in Apple’s Safari 13.0.1 and iOS 13. Confiant reported these bugs to both Apple and Chrome.
Chrome released a patch within a few days, but Apple took nearly one and a half months to bring out a fix. All of this is just one more reason to update all your devices regularly, though even that will not provide 100% protection if companies such as Apple don’t respond faster to bug reports.