Apple's iOS 10.3 patches mobile Safari bug used in ransomware campaign
Nefarious actors using a mobile Safari exploit to extort iTunes gift cards from unwitting iOS device users will need to look elsewhere, as Apple patched the web browser flaw as part of Monday's iOS 10.3 update.

Using the vulnerability, which leveraged the way Safari handled JavaScript pop-up windows, ransomware scammers primarily targeted users viewing pornographic material, bootlegged music and other content, reports ArsTechnica.
In practice, the flaw present in iOS 10.2 allowed scammers to enact an endless loop of pop-ups, effectively locking users out of the browser. The pop-ups would continue -- some incorporating threatening messages -- until victims paid a "fee" in the form of an iTunes gift card code delivered to a phone number via text.
Explaining the scam, mobile security firm Lookout called the exploit "scareware," as social engineering was key to the method's success. Scammers would carry out attacks from domains like "pay-police[.]com" and others named to evoke legitimate law enforcement authorities.
Combined with customized web content published to owned domains, the goal was to elicit fear from targeted users. As seen in the example above, exploit code planted on certain websites would lead users to a landing page containing text claiming their device was locked "for illegal pornography."
The attack would revert to a never-ending loop of pop-ups reading "Cannot Open Page." Tapping "OK" would invoke yet another pop-up containing the same message.
"The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk," writes Lookout researchers Andrew Blaich and Jeremy Richards.
Lookout notes a cache reset, performed by navigating to Settings > Safari > Clear History and Website Data, would rectify the pop-up loop issue, but users not familiar with mobile Safari's inner workings were unlikely to discover the simple fix. Further, victims were perhaps unwilling to ask for help due to the content of pages where the attack code was embedded.
Lookout shared the details of the scareware campaign with Apple after discovering it last month. The iPhone maker subsequently patched the flaw by making JavaScript pop-ups a per-tab event, rather than app-wide.

Using the vulnerability, which leveraged the way Safari handled JavaScript pop-up windows, ransomware scammers primarily targeted users viewing pornographic material, bootlegged music and other content, reports ArsTechnica.
In practice, the flaw present in iOS 10.2 allowed scammers to enact an endless loop of pop-ups, effectively locking users out of the browser. The pop-ups would continue -- some incorporating threatening messages -- until victims paid a "fee" in the form of an iTunes gift card code delivered to a phone number via text.
Explaining the scam, mobile security firm Lookout called the exploit "scareware," as social engineering was key to the method's success. Scammers would carry out attacks from domains like "pay-police[.]com" and others named to evoke legitimate law enforcement authorities.
Combined with customized web content published to owned domains, the goal was to elicit fear from targeted users. As seen in the example above, exploit code planted on certain websites would lead users to a landing page containing text claiming their device was locked "for illegal pornography."
The attack would revert to a never-ending loop of pop-ups reading "Cannot Open Page." Tapping "OK" would invoke yet another pop-up containing the same message.
"The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk," writes Lookout researchers Andrew Blaich and Jeremy Richards.
Lookout notes a cache reset, performed by navigating to Settings > Safari > Clear History and Website Data, would rectify the pop-up loop issue, but users not familiar with mobile Safari's inner workings were unlikely to discover the simple fix. Further, victims were perhaps unwilling to ask for help due to the content of pages where the attack code was embedded.
Lookout shared the details of the scareware campaign with Apple after discovering it last month. The iPhone maker subsequently patched the flaw by making JavaScript pop-ups a per-tab event, rather than app-wide.
Comments
People that come from Windows may apply their own terminology. On Linux/UNIX/macOS/iOS, they are "processes" instead of "tasks", but at the end of the day, he's referring to the same thing — the fast-app switcher that lets you quit running apps.
Now, as for AppleInsider calling this a "bug", it was not. It was simply an exploit of the design of the application-modal alerts. Apple changed the design to avoid such exploits from hijacking the entire app.
The alerts functioned as they were designed, so there was no "bug" or "code flaw". But a "design flaw" in the larger scheme of things is not wrong, though. Apple changed the design to mitigate the behaviour.
Let's not spread FUD by over-generalizing terms, eh?
We can even test this by loading a few apps that have a nice long startup screen. Large games, for example. Load them, then activate FAS to see them in the order in which they were last active, then restart your iDevice. After it restarts you can load FAS again to see those app still listed and in the same order before the restart, but if you click one you'll now get the initial load screen because it wasn't preloaded into RAM with the reboot.
Anyway I ignored the warnings and just double clicked home button and slid safari off. Went to safari settings and turned off JavaScript and went back to safari and it totally disabled it.
Yes, I got the vernacular wrong. "A rose by any other name… "
And yet, it's the only way to kill an app running as a background process or an app that insists on reloading data when it restarts (like the JavaScript scareware from the article). However you want to sugar coat, that's a task manager (and something Steve said no smartphone should need.)
To put it another way, I know plenty of people that will constantly clear out their FAS because they believe it works just like Windows Task Manager so they think they're saying themselves battery life (when they're likely hurting it from having to constantly relaunch frequently used apps), and are just wasting their time since most apps, most of the time, are doing what they should and performing as efficiently as possible under Apple's strict and excellent guidelines for using background processes after the app is no longer on screen.