iOS 6 bug reenables JavaScript in Safari without user consent
The Safari browser in Apple's iOS 6 platform has a potentially serious JavaScript bug that could have major security and privacy implications.
The new "Smart App Banner" feature in iOS 6 is designed to allow developers the ability to promote App Store software within Safari. The Smart App Banner detects whether a user has a specific application installed, and invites them to view the software on the App Store or open it on their iOS device.
But for users who choose to turn off JavaScript in the Safari Web browser, the appearance of a Smart App Banner on a website will automatically and permanently turn JavaScript back on without notifying the user.
iOS device owners can test this issue, first discovered by AppleInsider reader James, by opening the Settings application and choosing Safari, then turning off JavaScript. Then simply launch the Safari browser and visit a website with a Smart App Banner, such as the test page we've set up at appleinsider.com/smart-banner.html (this will turn on JavaScript to demonstrate the issue).
Users can then go back into the Settings application to verify that the JavaScript setting switch has been flipped back to the "on" position without warning. Accordingly, JavaScript features on websites will begin working again.
The issue has reportedly existed since the release of iOS 6 months ago, though it has not been widely reported. Michael Stockwell, founder of FizzPow Games, helped confirm for AppleInsider that the issue applies to all builds of iOS 6 on all devices ??iPhone, iPad and iPod touch. In addition, people familiar with the latest beta of iOS 6.1 said the problem also remains in Apple's pre-release test software on the iPhone.
A potentially 'serious' issue?
Peter Eckersley, technology products director with digital rights advocacy group the Electronic Frontier Foundation, said he would characterize such an issue as a "serious privacy and security vulnerability."
Neither Eckersley nor the EFF had heard of the bug in iOS 6, nor had they independently tested to confirm that they were able to replicate the issue. But Eckersley said that if the problem is in fact real, it's something that Apple should work to address as quickly as possible.
"It is a security issue, it is a privacy issue, and it is a trust issue," Eckersley said. "Can you trust the UI to do what you told it to do? It's certainly a bug that needs to be fixed urgently."
But Lysa Myers, a virus hunter at security firm Intego, said she doesn't see the bug as a major concern for the vast majority of iOS device owners.
?While this issue is certainly not an ideal situation, by itself it actually isn?t that large a problem," Myers told AppleInsider. "At the moment it doesn?t pose a threat, but we?ll continue to monitor it to make sure it doesn?t become more exploitable. There?s also the fact that few people actually disable JavaScript completely as it can partially, or totally, disable the majority of websites.?
Eckersley acknowledged that most users would not feel compelled to dive into a browser's settings and turn off JavaScript. But for those who view security as a paramount concern, disabling JavaScript in a browser is one of the first actions typically taken.
"It's not necessarily directly and immediately a security vulnerability, but it's the kind of thing that would enable some other vulnerability to be exploited," he said.
Why disable JavaScript?
While JavaScript enables developers to create rich Web experiences and is required by most websites, it can also be used to help track and provide a "digital fingerprint" of a user's Web browser. With JavaScript, a website can potentially track information such as how much time a user spends on a page, what parts of the page they look at, what characters they type into entry fields on the page, and what link they click to leave.
The EFF's Panopticlick project showcases how personal and trackable a user's browser can be. The foundation recommends that users disable JavaScript to defend against browser fingerprinting.
Thanks to JavaScript, each browser is a "beautiful and unique snowflake," Eckersley said. Our one-of-a-kind browsing history can tell advertisers and others information about ourselves that is potentially personal and valuable.
"The only way you can really reduce that in practice is to disable JavaScript," Eckersley said.
Highlighting less flexibility with mobile browsers
For Eckersley, any issue with JavaScript in iOS 6 would only further establish his view that current mobile browsers are woefully underpowered when compared to their desktop counterparts. He noted that with more full-featured browsers on platforms like OS X and Windows, users can install custom plugins or add-ons that can enhance features and improve security if users choose.
For example, a popular choice among the privacy conscious is "NoScript," an open source plugin that blocks JavaScript, Java and Flash for Firefox users. Because Apple's mobile version of Safari does not support third-party plugins, there are no such enhancements available for iOS.
Eckersley feels the design ideology of modern smartphone platforms is to make everything as simple as possible, a strategy that he called "hostile to privacy."
"At this point, our advice for browsing the mobile web in private is: Don't do it," he said. "If you need privacy while you browse, use a desktop browser."
The new "Smart App Banner" feature in iOS 6 is designed to allow developers the ability to promote App Store software within Safari. The Smart App Banner detects whether a user has a specific application installed, and invites them to view the software on the App Store or open it on their iOS device.
But for users who choose to turn off JavaScript in the Safari Web browser, the appearance of a Smart App Banner on a website will automatically and permanently turn JavaScript back on without notifying the user.
iOS device owners can test this issue, first discovered by AppleInsider reader James, by opening the Settings application and choosing Safari, then turning off JavaScript. Then simply launch the Safari browser and visit a website with a Smart App Banner, such as the test page we've set up at appleinsider.com/smart-banner.html (this will turn on JavaScript to demonstrate the issue).
Users can then go back into the Settings application to verify that the JavaScript setting switch has been flipped back to the "on" position without warning. Accordingly, JavaScript features on websites will begin working again.
The issue has reportedly existed since the release of iOS 6 months ago, though it has not been widely reported. Michael Stockwell, founder of FizzPow Games, helped confirm for AppleInsider that the issue applies to all builds of iOS 6 on all devices ??iPhone, iPad and iPod touch. In addition, people familiar with the latest beta of iOS 6.1 said the problem also remains in Apple's pre-release test software on the iPhone.
A potentially 'serious' issue?
Peter Eckersley, technology products director with digital rights advocacy group the Electronic Frontier Foundation, said he would characterize such an issue as a "serious privacy and security vulnerability."
Neither Eckersley nor the EFF had heard of the bug in iOS 6, nor had they independently tested to confirm that they were able to replicate the issue. But Eckersley said that if the problem is in fact real, it's something that Apple should work to address as quickly as possible.
"It is a security issue, it is a privacy issue, and it is a trust issue," Eckersley said. "Can you trust the UI to do what you told it to do? It's certainly a bug that needs to be fixed urgently."
But Lysa Myers, a virus hunter at security firm Intego, said she doesn't see the bug as a major concern for the vast majority of iOS device owners.
?While this issue is certainly not an ideal situation, by itself it actually isn?t that large a problem," Myers told AppleInsider. "At the moment it doesn?t pose a threat, but we?ll continue to monitor it to make sure it doesn?t become more exploitable. There?s also the fact that few people actually disable JavaScript completely as it can partially, or totally, disable the majority of websites.?
Eckersley acknowledged that most users would not feel compelled to dive into a browser's settings and turn off JavaScript. But for those who view security as a paramount concern, disabling JavaScript in a browser is one of the first actions typically taken.
"It's not necessarily directly and immediately a security vulnerability, but it's the kind of thing that would enable some other vulnerability to be exploited," he said.
Why disable JavaScript?
While JavaScript enables developers to create rich Web experiences and is required by most websites, it can also be used to help track and provide a "digital fingerprint" of a user's Web browser. With JavaScript, a website can potentially track information such as how much time a user spends on a page, what parts of the page they look at, what characters they type into entry fields on the page, and what link they click to leave.
The EFF's Panopticlick project showcases how personal and trackable a user's browser can be. The foundation recommends that users disable JavaScript to defend against browser fingerprinting.
Thanks to JavaScript, each browser is a "beautiful and unique snowflake," Eckersley said. Our one-of-a-kind browsing history can tell advertisers and others information about ourselves that is potentially personal and valuable.
"The only way you can really reduce that in practice is to disable JavaScript," Eckersley said.
Highlighting less flexibility with mobile browsers
For Eckersley, any issue with JavaScript in iOS 6 would only further establish his view that current mobile browsers are woefully underpowered when compared to their desktop counterparts. He noted that with more full-featured browsers on platforms like OS X and Windows, users can install custom plugins or add-ons that can enhance features and improve security if users choose.
For example, a popular choice among the privacy conscious is "NoScript," an open source plugin that blocks JavaScript, Java and Flash for Firefox users. Because Apple's mobile version of Safari does not support third-party plugins, there are no such enhancements available for iOS.
Eckersley feels the design ideology of modern smartphone platforms is to make everything as simple as possible, a strategy that he called "hostile to privacy."
"At this point, our advice for browsing the mobile web in private is: Don't do it," he said. "If you need privacy while you browse, use a desktop browser."
Comments
That must be why Android users never show up in web usage stats, they're worried about the privacy issue.
2. Are we sure it is a bug and not a part of the feature. JavaScript could be required for the banner to actually function. Yes it would be nice if folks were told it was being switched on. Or even that it needs to be and force them to go do it themselves but does the lack really make it a full court press issue
3. Is not 'permenant' when I can switch it back just fine. Permenant implies the switch is grayed out for life or some such
I've been on that site before. They can't prove that any actual private information is taken without anyone's consent with their 'test' and I found it amusing that it doesn't really work with you have JavaScript off. Which might provoke many folks into turning in JavaScript to see actual results
This is way overblown.
iOS 6.1 beta 4 doesn't exhibit this issue.
Quote:
Originally Posted by dtidmore
Just tested my ip5 running 6.0.2 and this reported bug is pure bs. I have JS turned off and when I attempt to launch anything that needs JS I get a message the JS is off and must be turned on to view. There is NO automatic JS turnon, at least not in 6.0.2.
Not just any page with JavaScript will turn it back on... only those with a Smart App Banner do. Clearly the underlying system that detects whether a Banner needs to be displays also re-enabled JavaScript in order to do so, but forgets to disable it again after the banner has been displayed. It could be that if JavaScript were disabled, the banner wouldn't function. Catch-22.
But this is really not a serious bug... probably 99% of people don't even disable JavaScript, and as another poster said, it's easy to disable again.
The test page set up by AppleInsider does indeed re-enable JavaScript. Note that you need to reload the Safari Settings page to see the changed state of the toggle switch.
Seriously, who turns off JS? I am sorry, no JS, no service for you.
JS is PART of the web standards and if you want dynamic webpages, you must have JS enabled. Otherwise you'll get nothing.
Quote:
Originally Posted by netrox
Seriously, who turns off JS? I am sorry, no JS, no service for you.
JS is PART of the web standards and if you want dynamic webpages, you must have JS enabled. Otherwise you'll get nothing.
I just turned off JavaScript and reloaded this AI page after restarting Safari. Everything works. The only meaningful change is the removal of the custom hover states that Huddler has applied to every button. You know, the ones that break the desktop site when on the iPad. I'm worried that I'm about to call it an improvement.
"The only way you can really reduce that in practice is to disable JavaScript," Eckersley said.
Or, once in a while, you can launch Settings, tap to the Safari page, and tap Clear Cookies and Data.
And tap Clear History while you're at it.
Better yet, slide the Private Browsing switch to ON.
Java is scary. JavaScript is not. Yes, this is a bug that should be fixed, and yes desktop browsers have better anti-tracking controls, but treating this as a security concern is overblown. If JavaScript has a security flaw, then THAT is a BIG issue. If it doesn’t, then enabling it (like 99.99% of people need anyway) then this is a small one.
http://www.ehow.com/how_2049858_make-tinfoil-hat.html
This site is funny at times.
Real people do.
Quote:
Originally Posted by nagromme
Java is scary. JavaScript is not. Yes, this is a bug that should be fixed, and yes desktop browsers have better anti-tracking controls, but treating this as a security concern is overblown. If JavaScript has a security flaw, then THAT is a BIG issue. If it doesn’t, then enabling it (like 99.99% of people need anyway) then this is a small one.
http://www.ehow.com/how_2049858_make-tinfoil-hat.html
Javascript IS a privacy concern since you can load any third-party scripts in your page.
Also, JavaScript on safari is leaking loads of memory. Without add-ons such as JavaScript Blocker, Safari is unusable on the desktop.
If someone tells you to turn JavaScript off, don't listen.
JavaScript is entirely different from Java and Flash. The latter two are bug ridden and can be seen as one big security hole, the former is part of the Internet standard and essential for viewing the web.
Being able to install plugins is the cause of most security breaches not the solution for it.
So browsing on iOS is safe compared to a desktop OS, even more so because iOS has restricted multitasking (so safari stops working if you switch apps and you cannot install a background process) and very strict sandboxing.
So all in all it's insane and factually wrong to advice people not to browse on iOS because it's unsafe.
J.
Quote:
Originally Posted by aBeliefSystem
"Seriously, who turns off JS? " This site is funny at times. Real people do.
I know, it's like watching people live in a bubble and they have no clue that there are like 8 billion other people in the world.
Originally Posted by zippy2shoes
I know, it's like watching people live in a bubble and they have no clue that there are like 8 billion other people in the world.
7 billion is like 8 billion at times. Usually when 1 billion just wants to be alone with 1 billion but no, then half billion has to step in and say something embarrassing that makes 1 billion flush.