Occasionally when I’m reading an article through the Facebook app, a spam popup appears and locks up the screen unless I hit “OK”. The only way to get rid of it is to close out and restart the app entirely because some instinct inside me just knows that clicking OK would invite disaster into my phone. I got one this past week and started wondering, “Where do these popups come from? Doesn’t Apple have super-tight security against malware and spam?” So I started doing some research.
“What enables these ad redirects to haunt virtually any browser or app at any time, rather than just the sketchy backwaters in which they used to roam? Third-party ad servers that either don’t vet ad submissions properly for the JavaScript components that could cause redirects, or get duped by innocent-looking ads that hide their sketchy code…Publishers are particularly vulnerable, because they often rely on third-party ad networks for revenue. As a result, they can find themselves at the mercy of whatever a given ad network doles out. Even if publishers use only reputable services, those ad networks can themselves get duped.”
The biggest mistake people make with technology is assuming that it works the way that you think it does. For example, publishers assuming that third party publishers have properly vetted their content or the ad networks assuming their JS code doesn’t have a secondary, malicious purpose. There’s a lot of potential for these spam popups to cause real damage to mobile devices that likely don’t have any anti-malware programs installed. If companies don’t start regulating the content they provide on their platform then this poses a huge potential security risk to users.
In summary:
- No surprise: they’re pretty bad. The notifications are all either marketing tricks or outright scams, and you may be giving the scammers access to your Facebook page. Redirecting ads can do different types of things—some of them are just a nuisance, but redirecting ads can also drop malware on people’s machines.
- Ways to fix it: Ad purchasers are not well-vetted enough and are given too much leeway with regards to JavaScript code execution. Ad exchanges should crack down on this type of aggressive code with a better screening process.
- An ad hijacking your browser like that isn’t technically a hack, in the sense that it doesn’t exploit a software vulnerability. Instead, it relies on the attacker’s ability to submit and run ads that contain redirecting JavaScript. But though they aren’t a critical threat to web users yet, redirecting mobile ads could create a jumping off point for attackers.
An informative article from Wired in January 2018 (quoted above): link