Apple WebKit bugs on iOS and macOS allowed 1 billion rogue popup ads on websites

“More than a billion scam popup ads were served thanks to bugs in Apple’s WebKit and the open-source Blink frameworks which power Safari and Chrome on iOS and macOS,” Ben Lovejoy writes for 9to5Mac:

Scam popup ads are one of the biggest headaches for web publishers. Scammers manage to get malicious ads into mainstream ad networks like Google, which means they then pop up all over the web – but web visitors naturally suspect the website itself is at fault.

Websites can block the offending ads, but only after they have already been served and reported… 9to5Mac is among the many websites hit by these scam popup ads, served via Google ads. We block them as fast as they are reported, as does Google, but it’s an ongoing game of whack-a-mole.

Ad security company Confiant notes that the specific exploits used have been blocked in iOS 13 and Safari 13.0.1.

MacDailyNews Take: God knows we’ve covered this vexing problem extensively in the past. Thankfully, this hole is closed!

Please remember that if you ever get an ad that redirects you somewhere else, it is not our intent. We are not choosing to run those badverts. Criminals are exploiting weaknesses in browsers and ad networks in order to hijack users. Such malvertising in the polar opposite of our intent and, likely, that of every other reputable web publisher as well. As Ben wrote, scam popup ads are one of the biggest headaches for web publishers! (We can’t even begin to tell you how sick and tired we are of dealing with this – it’s been going on for years!)

Hopefully, this is the end of this scourge!

See also:
Regarding those #$@&%*! unintentional rogue pop-up ads – August 6, 2019
Malvertising: Unscrupulous website ads again auto-redirecting users to App Store from Safari – March 18, 2015
Shady app install ads automatically redirecting mobile users to App Store, Google Play – January 16, 2015