Security News > 2021 > February > “ScamClub” gang outed for exploiting iPhone browser bug to spew ads

“ScamClub” gang outed for exploiting iPhone browser bug to spew ads
2021-02-17 19:59

Digital ad company Confiant, which claims to "Improve the digital marketing experience" for online advertisers by knowing about and getting rid of malicious and unwanted ads, has just published an analysis of a malvertising group it calls ScamClub.

According to Confiant, the ScamClub crew took things to an even more aggressive level by actively targeting a bug in Apple's WebKit browser engine, the compulsory software core that every browser on your iPhone, including Safari, is required to use.

The bug, dubbed CVE-2021-1801, was patched by Apple in recent updates to iOS and iPadOS and macOS. Confiant says that the vulnerability, although nowhere near serious enough to allow remote code execution or any kind of major privilege escalation such as exfiltrating data belonging to other apps, nevertheless gave these rogue advertisers a chance to evade security restrictions that the WebKit sandbox was supposed to enforce.

Google, for example, found that out nearly 10 years ago when it was hit with a multimillion dollar fine for using a security bypass trick against Apple users to set browser cookies that Safari would otherwise have blocked.

If you're an iOS 13 user, please note that the latest security update for iOS 13 is iOS 14.4.

You will often give away a pile of personal data only to find that you need to give away even more, including making online credit card purchases through websites you wouldn't normally trust, to stay "On track" for your "Prize".


News URL

https://nakedsecurity.sophos.com/2021/02/17/scamclub-gang-outed-for-exploiting-iphone-browser-bug-to-spew-ads/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-04-02 CVE-2021-1801 This issue was addressed with improved iframe sandbox enforcement.
network
low complexity
apple fedoraproject webkitgtk
6.5