Apple iPhone users are at risk after a security flaw is discovered in Google Chrome on iOS. According to the reports, a well-known threat actor known as eGobbler exploited a vulnerability in Google Chrome browser to target iPhone users.
The attackers were able to server malvertising ad on more than 500 million iPhone devices in a mere 10 days.
Malvertising, in short, is known as malicious advertising. In malvertising, the attackers take over a legitimate ad server and redirect users to fraudulent webpages and content.
These types of attacks provide two-fold profit to the attacker as ads and redirected pages both provide money on web page view.
eGobbler is known for its’s attack pattern as it is a well-coordinated group of cybercriminals who are able to hit huge volumes of malicious ads before going silent for days.
Google Chrome Vulnerability
Chrome on iOS runs Webkit instead of chromium engine. The Chrome sandbox should be able to prevent malicious adverts from hijacking the browser session and prevent redirection to malicious pages.
However, the researchers at Confiant suggests that somehow eGobbler was able to bypass the need for iPhone user interaction. The bypass is technically impossible.
Eliya Stein the researcher who found out this exploit tweeted explaining further that attackers don even need to start a redirect to hijack the browser session.
Security industry also pointed out the responsibility of web browser developers as it is the second most sophisticated programme after the operating system.
The researcher reported that Google has been notified about the exploit and the security team has responded. The security team is still investigating the issue and the vulnerability is still unpatched.
If the history repeats itself then, the eGobbler will start another wave of their campaigns since the holidays are around. As an iPhone user, you should upgrade the browser as soon as an update is released or change the browser.