Three Ways to Fix a Safari Browser Hijack in iOS 11

There’s a particularly nefarious form of hijackware that can take over Safari in iOS. Fortunately, there are three fairly easy ways to solve an iOS browser hijack (also called a Safari hijack): clearing your cache, disabling JavaScript, and using an external link to force open a new window or tab. I’ll explain each of these methods below.

You can skip to the instructions if you don’t want the description first.

Safari Hijack in iOS

A browser hijack, or safari hijack, is when a malicious webpage—or more likely, a malicious ad on an otherwise legitimate webpage—takes over your browser. There are a few different versions of this. One variant puts a dialog box on your screen asking you to call a phone number, like in the screenshot below.

WARNING: NEVER CALL A PHONE NUMBER LIKE THIS—IT’S A SCAM BY BOTTOM FEEDING SCUMBAGS TRYING TO TRICK YOU INTO GIVING THEM YOUR CREDIT CARD INFO!

Screenshot of a browser hijack in iOS 11

The way this one worked was that you couldn’t cancel or otherwise dismiss the dialog box. And see how it looks all official, like it’s something form Apple? It isn’t. Instead, it’s JavaScript shenanigans whose only goal is to get you to call the thieves and hand over personal data, credit card info, and sometimes remote access to your device.

So, as the warning says, don’t fall for this, never call a number like that, and use the methods below to get around a safari hijack like this if you stumble into one.

Browser Hijack Variant

Another variation is the one I encountered below. In this version, a maliciously—or maybe just poorly—coded ad didn’t hijack my entire browser. Instead, it hijacked the webpage I was trying to visit. No matter what I did, I was rerouted to some spammy BS site when I opened Safari.

Another Safari Hijack Variant

These hijacks usually aren’t the fault of the site operator, and sometimes not even the ad network they’re on. Spammers and thieves are engaged in an unrelenting effort to get their maliciously crafted ads onto ad networks, especially the automated ones. While most of those networks remove the malware ads (eventually), the bad guys are always trying to get new ones in.

Next: How to Fix a Safari Hijack in iOS 11

Page 2 – How to Fix a Safari Hijack in iOS 11

Dealing with Browser Hijacks in iOS

iOS is well built, and there aren’t any known vectors for actually taking over your iPhone or iPad in Apple’s mobile OS. What these asshats are doing is using JavaScript to effectively block functionality in Safari. The three methods I outline below are easy workarounds, starting with clearing your browser cache.

With this method, we’ll force quit Safari and then clear some or all of your cache to delete the offending webpage.

Step 1: Force Quit Safari. In iOS 11 on iPhone 8/Plus and earlier, as well as iPad, double tap the Home Button to bring up the App Switcher. Swipe up on Safari to Force Quit.

In iOS 11 on iPhone X, swipe up from the bottom of the screen and hold (or, swipe up and to the left in an arc) to bring up the App Switcher. Tap and hold on an app until the red circles with a minus sign appears. Tap the minus sign on Safari to Force Quit the app.

App Switcher in iOS 11 on iPhone X

Step 2: Go to Settings > Safari > Clear History and Website Data > Clear History and Data, as shown below. This will erase the cache for Safari on this device—AND every other device that syncs Safari through iCloud—erasing the problematic webpage from your device.

You may be given the option of just erasing data from the last hour. This is a great option if you don’t want to lose the rest of your web cache. I used that option when dealing with my encounter, but didn’t have it when taking screenshots for this article.

Clear History and Data in iOS 11

This will solve most browser hijacks in iOS 11. When you open up Safari again, the offending page will be gone and you’ll be free to user your device normally.

Two Methods for Dealing with More Pernicious Browser Hijacks

Sometimes, though, the scumbags get a little more clever, and clearing your data alone doesn’t work. Don’t ask me how that’s possible, but I found the two methods below when helping someone with just this problem.

If clearing your history and data doesn’t work, you can try turning off JavaScript. To do so, first Force Quit Safari as described above. This might not be necessary, but it’s better to be thorough and cover all your bases. Then, go to Settings > Safari > Advanced, and tap the JavaScript toggle until its off, as shown below.

Advanced Safari Settings in iOS 11

Relaunch Safari and you should be able to close the offending tab. You may also want to clear your History and Data, as described above. You can then turn JavaScript back on, as many useful and legitimate features on webpages use it.

Using an External Link to Bypass a Browser Hijack

There’s yet one more method for bypassing a hijacked browser window in Safari in iOS 11, and that’s to open a new window by tapping on a link in another app. You can do this any number of ways. For instance, having a friend send you a URL in iMessage. In a pinch, you can send the URL yourself to a friend in iMessage. Once it’s in a chat, you can tap it no matter who sent it.

If you already have a link someone sent you, use that, be it in iMessage, Mail, a Note, or anywhere else. The object here is to send the URL to Safari, which will open it in a new window, despite the browser hijack. Here’s an example:

Tapping a URL in iMessage

Once you tap it and head back to Safari, it will open the new window. You can then go to the tab browser in Safari and swipe the offending webpage away.

Tab switcher in Safari on iPhone X

In the case where I helped a friend, the malicious page would reassert itself on top of the new tab. It was a really well-crafted piece of scummery. She had only a split second to tap the tab switcher, and it took several tries. In the end, however, we won and the scumbags were defeated.

Yay us!

Hopefully these steps will help you beat the bad guys, too.

Share this post