While browsing Google+ the other day with Google’s iPad app, I followed a link to The Sticky Tongue Project, covering wildlife with a focus on reptiles & amphibians. I was rather surprised at what appeared in the internal browser of Google’s app:
Who knew dolphins were hawking medication? But take a closer look: it’s the original website, with some titles replaced and spam links interspersed throughout the text. Obviously a malware attack on the server – but only visible in the internal browser of Google’s iPad app! This is how the website looks in Mobile Safari:
No medication spam in sight. Desktop browsers also show the website correctly. And this is just one example: I recall several other occasions when the embedded browser of Tweetbot for iPad would suddenly show porn spam when trying to navigate to a website linked from a tweet. In those cases, too, Mobile Safari would show the intended websites correctly.
What’s going on here? I’m not a web security expert but my guess is that these websites were indeed hacked, possibly through embedded advertising. However, the hacks were either old or deliberately targeted at relatively primitive browsers, presumably the great malware magnet Internet Explorer 6. The embedded browsers that Apple allows to third parties are sufficiently primitive to trigger the spam attacks while other browsers are not.
An alternative explanation would be that my own iPad was hacked, but I believe that unlikely: it would be a strange hack that affects only a minority of websites, and on two different applications but not the default web browser! Moreover, the same hack appeared in the embedded browser of Google’s app on my iPod touch.
In any event, I would be grateful if anyone could shed more light on this matter, or inform some competent people to get the ball rolling on pulling that malware off the web.
(Both pictures were taken with the iPad’s built-in screenshot feature, by the way: press the power button while holding down the Home button.)
2012-09-21: The hack was identified and removed, see my follow-up post.