Page 2 – How to Fix a Safari Hijack in iOS 11
Dealing with Browser Hijacks in iOS
iOS is well built, and there aren’t any known vectors for actually taking over your iPhone or iPad in Apple’s mobile OS. What these asshats are doing is using JavaScript to effectively block functionality in Safari. The three methods I outline below are easy workarounds, starting with clearing your browser cache.
With this method, we’ll force quit Safari and then clear some or all of your cache to delete the offending webpage.
Step 1: Force Quit Safari. In iOS 11 on iPhone 8/Plus and earlier, as well as iPad, double tap the Home Button to bring up the App Switcher. Swipe up on Safari to Force Quit.
In iOS 11 on iPhone X, swipe up from the bottom of the screen and hold (or, swipe up and to the left in an arc) to bring up the App Switcher. Tap and hold on an app until the red circles with a minus sign appears. Tap the minus sign on Safari to Force Quit the app.
Step 2: Go to Settings > Safari > Clear History and Website Data > Clear History and Data, as shown below. This will erase the cache for Safari on this device—AND every other device that syncs Safari through iCloud—erasing the problematic webpage from your device.
You may be given the option of just erasing data from the last hour. This is a great option if you don’t want to lose the rest of your web cache. I used that option when dealing with my encounter, but didn’t have it when taking screenshots for this article.
This will solve most browser hijacks in iOS 11. When you open up Safari again, the offending page will be gone and you’ll be free to user your device normally.
Two Methods for Dealing with More Pernicious Browser Hijacks
Sometimes, though, the scumbags get a little more clever, and clearing your data alone doesn’t work. Don’t ask me how that’s possible, but I found the two methods below when helping someone with just this problem.
If clearing your history and data doesn’t work, you can try turning off JavaScript. To do so, first Force Quit Safari as described above. This might not be necessary, but it’s better to be thorough and cover all your bases. Then, go to Settings > Safari > Advanced, and tap the JavaScript toggle until its off, as shown below.
Advanced Safari Settings in iOS 11
Relaunch Safari and you should be able to close the offending tab. You may also want to clear your History and Data, as described above. You can then turn JavaScript back on, as many useful and legitimate features on webpages use it.
Using an External Link to Bypass a Browser Hijack
There’s yet one more method for bypassing a hijacked browser window in Safari in iOS 11, and that’s to open a new window by tapping on a link in another app. You can do this any number of ways. For instance, having a friend send you a URL in iMessage. In a pinch, you can send the URL yourself to a friend in iMessage. Once it’s in a chat, you can tap it no matter who sent it.
If you already have a link someone sent you, use that, be it in iMessage, Mail, a Note, or anywhere else. The object here is to send the URL to Safari, which will open it in a new window, despite the browser hijack. Here’s an example:
Once you tap it and head back to Safari, it will open the new window. You can then go to the tab browser in Safari and swipe the offending webpage away.
In the case where I helped a friend, the malicious page would reassert itself on top of the new tab. It was a really well-crafted piece of scummery. She had only a split second to tap the tab switcher, and it took several tries. In the end, however, we won and the scumbags were defeated.
Yay us!
Hopefully these steps will help you beat the bad guys, too.
This didn’t help me at all, on my iPad. Still getting hijacked with regularity. What I mean is, even with JavaScript disabled, I get hijacked, bu at least can go back to the page. Problem is the sites where this is happening are useless without JavaScript. Amazed the hell out of me that I cannot blacklist sites in safari, or even chrome on iPad, I would need to use a wildcard as they change it but my tormenter begins with eu.*.out or something like that. Wild card in place of the field that changes each time. This is making browsing unusuable. One of the sites is huffingtonpost and they are basically unreachable anyway.
Sorry but this is just the ad network being weaponized. I will make a few repeat visits to sites where this happens and notify the site, but if it persists more than a couple of visits, that’s it, I’m blacklisting you. In general this is among the reasons “we can’t have nice things”, but that is the world we live in. If ad networks can’t fix this problem quickly, it will be the well-deserved end of them.
This happens to me at a few website that I regulalry visit. I will report to the webmaster who will investigate and 86 the ad, but a few days later the slimeball is at it again.
Maybe the answer would be for website to not allow advertisers to use javascript in the ads, just a simple link. It would probably speed up the page load.