A malvertising group known as “ScamClub” exploited a zero-day vulnerability in WebKit-based browsers to inject malicious payloads that redirected users to fraudulent websites gift card scams.
The attacks, first spotted by ad security firm Confiant in late June 2020, leveraged a bug (CVE-2021–1801) that allowed malicious parties to bypass the iframe sandboxing policy in the browser engine that powers Safari and Google Chrome for iOS and run malicious code.
To test this hypothesis, the researchers set about creating a simple HTML file containing a cross-origin sandboxed iframe and a button outside it that triggered an event to access the iframe and redirect the clicks to rogue websites.
“The […] button is outside of the sandboxed frame after all,” Confiant researcher Eliya Stein said. “However, if it does redirect, that means we have a browser security bug on our hands, which turned out to be the case when tested on WebKit based browsers, namely Safari on desktop and iOS.”
images from Hacker News