Potential privacy breach as iOS 6 bug enables Javascript in Safari without approval of user

A potentially serious threat to privacy has been discovered in the Safari app of Apple’s iOS 6 software. The bug affects all iOS 6 users, regardless of which build of the operating system you use. Essentially, what the software error does is enable Javascript in Safari without consent of the user, a move described as a “serious privacy and security vulnerability.”

The problem has risen because of Apple’s ‘Smart App Banner’ feature, which, detects if a user has a particular app installed and gives the option for them to view content using the application, rather than the Safari web browser. This also allows developers to promote applications that are specific to the user. The problem is that the feature uses Javascript to detect if the app is installed, and doesn’t ask for user consent to use it, even if Javascript is switched off in the settings. Once this happens, Javascript will still be turned on until the user switches it off again.

Image Credit: Apple Insider

This is an issue that has been reported (though reports have been few and far between) since Apple launched iOS 6 a few months back. The bug is still present in the beta of iOS 6.1, as has been announced by several developers who have access to the software.

However, although there has been a bit of an uproar about this across the world of Apple fans, Lysa Myers from Intego – a security firm – reckons that this particular bug shouldn’t be a big worry for iOS 6 users:

“While this issue is certainly not an ideal situation, by itself it actually isn’t that large a problem (…) At the moment it doesn’t pose a threat, but we’ll continue to monitor it to make sure it doesn’t become more exploitable. There’s also the fact that few people actually disable JavaScript completely as it can partially, or totally, disable the majority of websites.”

Although the issue may not be a great threat, Electronic Frontier Foundation’s Peter Eckersley has this advice for any users of Safari on iOS:

“At this point, our advice for browsing the mobile web in private is: Don’t do it, (…)If you need privacy while you browse, use a desktop browser.”


Via: Apple Insider

Tags: , , , , , , , , , , , , ,

  • tfoil2

    @PogoWasRight I’m surprised EFF didn’t suggest one of the iOS Tor browsers.

  • tfoil2

    @PogoWasRight I do find the “Smart App Banners” annoying though… I prefer web to apps for privacy reasons… fewer tracking vectors :)

  • Safari without consent of the user, a move described as a “serious privacy and security vulnerability.”