Potentially Malicious JavaScript Bug Discovered In iOS 6

A new JavaScript bug that can potentially cause some major security and privacy implications, has been discovered in iOS 6 that re-enables JavaScript in mobile Safari without asking the user, AppleInsider is reporting. It appears that a new “Smart App Banner” feature in iOS 6, this allows developers to promote App Store software within Safari, is responsible.

Javascript 121220

The report describes that the Smart App Banner detects whether a user has a specific application installed, and invites him to view the software on the App Store or open it on his iOS device. But when a Smart App Banner appears, it automatically and permanently turns JavaScript on, even if the user has turned off JavaScript in Safari settings, without notifying. To test the issue on your iOS 6, turn off Safari JavaScript through the Settings app, and visit a website with a Smart App Banner, such as this test page using iOS Safari. This will turn on JavaScript, flipping the switch back to “On” in Settings without your consent.

Peter Eckersley, technology products director with digital rights advocacy group the Electronic Frontier Foundation, said he would characterize such an issue as a “serious privacy and security vulnerability.”

Neither Eckersley nor the EFF had heard of the bug in iOS 6, nor had they independently tested to confirm that they were able to replicate the issue. But Eckersley said that if the problem is in fact real, it’s something that Apple should work to address as quickly as possible.

“It is a security issue, it is a privacy issue, and it is a trust issue,” Eckersley said. “Can you trust the UI to do what you told it to do? It’s certainly a bug that needs to be fixed urgently.”

The issue has reportedly existed since the release of iOS 6, and it applies to all builds of iOS 6 on all iPhone, iPad and iPod touch devices.