JavaScript bug found in iOS 6′s Smart App Banners

By , Dec 22, 2012

smart app banners 1

This is kind of weird. A new bug has been discovered in iOS 6 that has to do with the Smart App Banners feature. It seems that the banners, which websites can implement to give users a direct link to apps, will turn on the JavaScript setting in Safari without warning.

On the surface, this may not seem like a very big deal. After all, most folks don’t mess with the JavaScript settings on their iOS devices because a lot of web sites require it. But the fact that these Smart Banners are turning it on, unbeknownst to users, is a bit troubling…

The bug was first discovered back in October by hacker Andrew Plotkin, and was recently brought to light again by AppleInsider. The site spoke with Peter Eckersley of the digital rights group EFF, who described the issue as a “serious privacy and security vulnerability.”

“It is a security issue, it is a privacy issue, and it is a trust issue,” Eckersley said. “Can you trust the UI to do what you told it to do? It’s certainly a bug that needs to be fixed urgently.”

But Lysa Myers of Intego, a security firm, doesn’t think it’s quite that serious: “while this issue is certainly not an ideal situation, by itself it actually isn’t that large a problem.” She notes, though, that she’ll continue to monitor it to make sure it doesn’t become more exploitable.

safari javascript settings

If you want to see the bug first hand, simply execute the following steps on your iOS device:

  1. For starters, close all the way out of Safari and open the Settings app.
  2. In Settings, select the Safari tab, scroll all the way down to the Security section and disable JavaScript.
  3. Now, re-open Safari and visit a website that has a Smart App Banner, like store.apple.com.
  4. Finally, close down Safari and revisit the Safari Security section in the Settings app.

You should notice that the JavaScript feature has been automatically re-enabled. And it’ll actually stay that way until you disable it again. I was able to reproduce the bug on my iPhone 5 running iOS 6, but it’s been said that it’s present in all iOS 6 builds, including the 6.1 betas.

Again, at the moment, there’s really nothing to worry about — unless of course you keep JavaScript off, then it’s annoying. But the fact that these Smart Banners are overriding user settings without consent is still pretty sketchy. Didn’t Google just get in trouble for something like this?

 

  • Share:
  • Follow:
  • Blake

    It didn’t work for me

  • http://twitter.com/MCaudebec Maxim∑

    ”serious privacy and security vulnerability.” enabling java on iOS is not a serious security vulnerability. Pretty much all of us have this turned on. Yet another minor issue blown up by the media

    • selcukcura

      Its not a big deal at all, but the fact that it shouldnt be like that is why its a problem.

    • http://ak.net84.net/ Aram Kocharyan

      JavaScript not Java. Apple is disabling Java on be mac so it might be a while before I arrives on ios :)

  • seyss

    oh no I’m keeping my device turned off until apple fix this.. I’m so scared

    • http://www.facebook.com/joe.jonsen Joe Jonsen

      lolloolllllool i

  • N4TEX

    I can’t confirm this problem. Everything works fine on my iPhone 4S.

    Edit: tried it with a different Website. It really re-enabled the Jacascript. Sorry my fault.

  • Joost

    I wonder, can this be used for a userland jailbreak? Probably not but it is worth mentioning right?

  • Techpm

    Google was caught overriding the user’s cookie settings to set their own tracking cookies, which is a privacy issue, not JavaScript.

  • Faiz Nihad

    Didn’t work for me .. iPhone 5

  • http://www.facebook.com/joe.jonsen Joe Jonsen

    this is the most boring news report ever published..lolol you should have just given a santa clause location update

  • JaeM1llz

    Slow news day? Who cares, it’s just javascript, there’s really no reason for disabling it in the first place.

  • http://www.facebook.com/people/Steve-Johns/1034127348 Steve Johns

    Tried it on my 4S Didn’t re enable my javascript !

  • http://www.facebook.com/Mysto2k Manuel Andrade

    A new IOS6 bug was discovered last night, instead of rendering an ‘A’ you will be shown a ‘B’.

    People start shiting their Pants because of Apple Doomsday!

    ——

    But seriously the Media just nags about every little Media, just because its Apple, if it was in RIM nobody would give a Shit as high!

  • http://twitter.com/CallMeJaffy Jaffy Bratt

    This doesn’t work for me. As I turn javascript off, it doesn’t show any smart banner and as I turn it on, then it shows. Hence, I still have full control of my security.