Skip to main content

Long-standing Safari bug could fuel misinformation campaigns

The mobile version of Safari is susceptible to a link-sharing feature flaw that could be abused to spread fake news headlines on a large scale.

The bug allowing this unorthodox exploitation to occur was originally spotted by the MacRumors website crew almost two years ago (in February 2019). In a nutshell, it boils down to an imperfection in the link-sharing feature of Safari on iPhone, iPad, and iPod touch mobile devices. While allowing anyone to add a text excerpt from an arbitrary article to the iMessage link preview, it can be mishandled as users are able to type random headlines and share them with others as if these were real quotes from reputable sources.

At the time of discovery, the bizarre defect seemed like an innocuous way to poke some fun by sending genuine-looking, yet modified headlines to iMessage users. Fast forwarding to the present day makes the story less amusing, especially given that Apple hasn’t attended to the issue for a mind-boggling amount of time.

Examples of fake news headlines hinging on a bug in the mobile version of Safari. Image courtesy of Intego

The lowdown on the abuse logic

Researchers from IT security firm Intego recently did a detailed write-up on this bug. Let’s have a closer look at how this exploitation works. When visiting a web page using Safari on an iPhone, iPad, or iPod touch, a user can select a text fragment and share this string with other people. All it takes is highlighting the phrase, tapping “Share”, and choosing the recipients. The trick is that the fragment can stem from a user input field embedded in the site. Effectively, this oddity turns user-generated content into an allowed element of link preview.

To mishandle the feature, a Safari user can type some text in a web page’s search area, select that string, tap the “Share” button, pick the “Message” icon on the sharing options screen, and submit the malformed link preview to another iMessage user. As a result, the recipient will see a fake headline ostensibly stemming from the website. The issue gets worse if the linked-to resource is a trusted news outlet such as the New York Times, CNN, or Fox News.

What makes this bug potentially impactful?

Since the text generated by the sender will look like an original headline on a reputable site, Intego analysts emphasize that this flaw might have serious implications in the political or stock trading context. Fake news can manipulate public opinion amid an election process or trick investors to rush headlong into buying or selling stocks.

That said, it’s strange that Apple has been turning a blind eye to this imperfection since early 2019 when it was first publicized by researchers. The white hats have tested the current iOS version (14.1) and even the latest beta build of iOS (14.2), and the bug is still there.

It’s worth mentioning that the user input fields on some popular websites, including Forbes and CBS News, don’t allow this form of abuse to get through. The whys and wherefores of the varying susceptibility to the link-sharing glitch have yet to be determined. The only silver lining is that there have been no documented instances of real-time exploitation of this bug so far. This could change, though, if Apple continues to ignore the issue.


Was this article helpful? Please, rate this.

There are no comments yet.
Authentication required

You must log in to post a comment.

Log in