Security News > 2021 > February > Malvertisers Exploited WebKit 0-Day to Redirect Browser Users to Scam Sites
A malvertising group known as "ScamClub" exploited a zero-day vulnerability in WebKit-based browsers to inject malicious payloads that redirected users to fraudulent websites gift card scams.
The attacks, first spotted by ad security firm Confiant in late June 2020, leveraged a bug that allowed malicious parties to bypass the iframe sandboxing policy in the browser engine that powers Safari and Google Chrome for iOS and run malicious code.
Specifically, the technique exploited the manner how WebKit handles JavaScript event listeners, thus making it possible to break out of the sandbox associated with an ad's inline frame element despite the presence of "Allow-top-navigation-by-user-activation" attribute that explicitly forbids any redirection unless the click event occurs inside the iframe.
To test this hypothesis, the researchers set about creating a simple HTML file containing a cross-origin sandboxed iframe and a button outside it that triggered an event to access the iframe and redirect the clicks to rogue websites.
"However, if it does redirect, that means we have a browser security bug on our hands, which turned out to be the case when tested on WebKit based browsers, namely Safari on desktop and iOS.".
Following responsible disclosure to Apple on June 23, 2020, the tech giant patched WebKit on December 2, 2020, and subsequently addressed the issue "With improved iframe sandbox enforcement" as part of security updates released earlier this month for iOS 14.4 and macOS Big Sur.