Pop-Up Mobile Ads Surge as Sites Scramble to Stop Them

Lily Hay Newman, reporting for Wired:

These redirects can show up seemingly out of the blue when you’re in a mobile browser like Chrome, or even when you’re using a service like Facebook or Twitter and navigating to a page through one of their in-app browsers. Suddenly you go from loading a news article to wriggling away from an intrusive ad. What enables these ad redirects to haunt virtually any browser or app at any time, rather than just the sketchy backwaters in which they used to roam? Third-party ad servers that either don’t vet ad submissions properly for the JavaScript components that could cause redirects, or get duped by innocent-looking ads that hide their sketchy code. […]

An ad hijacking your browser like that isn’t technically a hack, in the sense that it doesn’t exploit a software vulnerability. Instead, it relies on the attacker’s ability to submit and run ads that contain redirecting JavaScript. But though they aren’t a critical threat to web users yet, redirecting mobile ads could create a jumping off point for attackers. And since you encounter the redirects while browsing on even prominent, legitimate sites, there’s nowhere to hide. Sometimes the ads are even designed to block your “Back” button, or keep redirecting when you try to close them, making it difficult to escape without having to restart the browser.

“I do think it’s new that the ads are so pervasive and are on first-tier publishers,” says Anil Dash, CEO of the software engineering firm Fog Creek. “These things used to be relegated to garbage sites, now it’s happening on the New York Times.”

The fact that ad networks are delivering unvetted JavaScript in their payloads is unsurprising but horrifying. They’re confined to your browser’s sandbox, but JavaScript-based ads are effectively malware at this point: they violate your privacy; consume excessive CPU time, bandwidth, and battery life; and now literally hijack your browsing experience.

(And now with Meltdown and Spectre, we have the added worry that JavaScript might be malware that breaks through browsers’ sandbox protections.)

Tuesday, 9 January 2018