{"id":101975,"date":"2024-10-14T00:01:24","date_gmt":"2024-10-14T07:01:24","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=101975"},"modified":"2024-10-17T07:50:30","modified_gmt":"2024-10-17T14:50:30","slug":"apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/","title":{"rendered":"Apple still hasn&#8217;t fixed 6-year-old &#8220;fake headlines&#8221; flaw exploitable for election interference"},"content":{"rendered":"<p><img loading=\"lazy\" class=\"aligncenter wp-image-102007 size-full\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/10\/election-2024-safari-fake-headline-exploit-v4-header-600x420-1.jpg\" alt=\"\" width=\"600\" height=\"420\" \/><\/p>\n<p>For nearly six years, Apple has neglected to fix a bug that enables anyone to effectively create false or misleading news headlines that appear to come from credible sources.<\/p>\n<p>We originally <a href=\"https:\/\/www.intego.com\/mac-security-blog\/ios-safari-flaw-allows-deceptive-web-page-previews-in-messages\/\">covered the flaw in early 2019<\/a>, and warned about it again <a href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-neglects-to-fix-fake-headlines-bug-usable-for-election-interference\/\">during the 2020 election cycle<\/a>. Disconcertingly, Apple still has not fixed the flaw, even in its latest operating systems; <a href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-releases-ios-ipados-18-0-1-with-security-updates-other-0-1-bug-fix-updates\/\">iOS and iPadOS 18.0.1, and macOS Sequoia 15.0.1<\/a>, were released on October 4.<\/p>\n<p>Apple&#8217;s ongoing lack of a fix is especially concerning given that we&#8217;re just a month away from the 2024 U.S. presidential election, and <a href=\"https:\/\/www.vote.org\/early-voting-calendar\/\" target=\"_blank\" rel=\"noopener\">early voting<\/a> has already begun in some states. In the last election cycle, several &#8220;Big Tech&#8221; companies (such as Twitter, Facebook, and Google) were <a href=\"https:\/\/www.washingtonpost.com\/technology\/2020\/10\/28\/twitter-facebook-google-senate-hearing-live-updates\/\" target=\"_blank\" rel=\"noopener noreferrer\">accused of engaging in or enabling election interference<\/a>. Somehow, Apple evaded scrutiny; this flaw received almost no media coverage whatsoever, aside from Intego&#8217;s report four years ago.<\/p>\n<p>Let&#8217;s break down what exactly Apple has done wrong, the potential impact, and how to report any abuse of the flaw.<\/p>\n<p><em>In this article:<\/em><\/p>\n<ul>\n<li><a href=\"#howwork\">How does the exploit work?<\/a><\/li>\n<li><a href=\"#affectedsites\">Major news sites are affected<\/a><\/li>\n<li><a href=\"#whyapple\">Why hasn&#8217;t Apple done anything to stop this?<\/a><\/li>\n<li><a href=\"#attackused\">Has the attack been used against the 2024 election?<\/a><\/li>\n<li><a href=\"#keys\">Key takeaways<\/a><\/li>\n<li><a href=\"#learnmore\">How can I learn more?<\/a><a name=\"howwork\"><\/a><\/li>\n<\/ul>\n<h3>How does the exploit work?<\/h3>\n<p>The flaw was originally <a href=\"https:\/\/www.macrumors.com\/2019\/02\/21\/safari-fake-headline-bug\/\" target=\"_blank\" rel=\"noopener noreferrer\">discovered<\/a> in February 2019 by the editorial team at MacRumors, who framed it as something readers could &#8220;have a bit of fun with.&#8221; It existed in iOS 12, and could be exploited on an iPhone, iPad, or iPod touch. At the time, it wasn&#8217;t exploitable on Macs; however, Macs could receive deceptive iMessages sent from mobile devices.<\/p>\n<p>Apple&#8217;s Safari browser includes a feature related to link sharing. If you select (highlight) text within a Web page and then tap on the Share button, you can &#8220;quote&#8221; the selected portion of the page for the recipient when you share the link via Apple&#8217;s Messages app. The feature is intended to allow users to include a direct quote from an article, embedded within the iMessage link preview.<\/p>\n<p>However, Apple does not limit the preview text selection to the contents of the page as received from the Web server\u2014and therein lies the flaw.<\/p>\n<p>Users can type something into a page&#8217;s search bar (or any other text field), select <em>the text they just typed,<\/em> tap Safari&#8217;s Share button, and then tap the green-and-white Messages icon to send it to any iMessage recipient\u2014either an individual or a group.<\/p>\n<div style=\"width: 1920px;\" class=\"wp-video\"><!--[if lt IE 9]><script>document.createElement('video');<\/script><![endif]-->\n<video class=\"wp-video-shortcode\" id=\"video-101975-1\" width=\"1920\" height=\"886\" loop=\"1\" autoplay=\"1\" preload=\"metadata\" controls=\"controls\"><source type=\"video\/mp4\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-Safari-iMessage-bug-false-headline-demonstration.mp4?_=1\" \/><a href=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-Safari-iMessage-bug-false-headline-demonstration.mp4\">https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/02\/iOS-Safari-iMessage-bug-false-headline-demonstration.mp4<\/a><\/video><\/div>\n<p style=\"text-align: center; font-size: small;\">The bug as it appeared in iOS 13. It still works the same in iOS 18.<\/p>\n<p>Nothing prevents a user from typing a misleading headline or other deceptive text into a field and making it appear to be part of the page, visible in the preview.<\/p>\n<h4><strong>Apple has since made the flaw exploitable on macOS<\/strong><\/h4>\n<p>When we last covered this in 2020, the Safari flaw was only exploitable on iOS and iPadOS, meaning you couldn&#8217;t send deceptive link previews from Safari on macOS. (Mac users could be victims, though; the Messages app on macOS would display misleading previews sent from Safari on someone&#8217;s mobile device.)<\/p>\n<p>But as of 2024, the same flaw also exists in Safari for macOS; we&#8217;ve confirmed that it&#8217;s present in both macOS Sonoma and the new macOS Sequoia. At some point in the past few years, Apple evidently introduced the same undesirable behavior to the Mac version of Safari.<a name=\"affectedsites\"><\/a><\/p>\n<h3>Major news sites are affected<\/h3>\n<p>Alarmingly, <strong>every news site we tested<\/strong> was exploitable via this attack method. We also found that it was possible to send <strong>fake quotes that appear to be from the official campaign sites of Kamala Harris or Donald Trump<\/strong>\u00a0as well.<\/p>\n<p>Following are real screenshots showing, as a demonstration, example fake headlines that could be sent from the ABC News, CBS News, CNN, Forbes, Fox News, Los Angeles Times, MSNBC, and New York Times homepages. (They are watermarked with &#8220;fake headline&#8221; to help prevent abuse.)<\/p>\n<p>Although the example headlines below are mostly silly and unbelievable, one can imagine much more subtle and deceptive headlines or quotes that could potentially influence voters into changing how they might cast their ballots\u2014or avoid voting\u2014on election day.<\/p>\n<div id=\"attachment_102012\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-102012\" loading=\"lazy\" class=\"wp-image-102012 size-full\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/10\/election-2024-safari-fake-headline-exploit-examples-v2-iOS-18.jpg\" alt=\"\" width=\"600\" height=\"780\" \/><p id=\"caption-attachment-102012\" class=\"wp-caption-text\">Exploit demo; not seen in the wild. Watermarked to prevent abuse.<\/p><\/div>\n<p>Although in 2020 there were a few sites we tested that seemed to be resistant to the bug, including CBS News and Forbes, we found that these sites are exploitable as of 2024.<a name=\"whyapple\"><\/a><\/p>\n<h3>Why hasn&#8217;t Apple done anything to stop this?<\/h3>\n<p>When MacRumors editors originally discovered this flaw, they called it &#8220;fun&#8221; and noted that it could easily be exploited for harmless pranks. However, as we pointed out in February 2019, we feel that <strong>all iMessage users should take caution, as the flaw could also potentially be used in more sinister attacks<\/strong>. We warned that this could be exploited as a means to try to get financial investors to buy or sell stocks in a panic based on false headlines, for example.<\/p>\n<p><img loading=\"lazy\" class=\"alignright size-full wp-image-43018\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2015\/06\/bad-apple-170.jpeg\" alt=\"\" width=\"150\" height=\"184\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2015\/06\/bad-apple-170.jpeg 170w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2015\/06\/bad-apple-170-122x150.jpeg 122w\" sizes=\"(max-width: 150px) 100vw, 150px\" \/>Four years ago, in the context of a contentious election, it was disturbing to see that Apple still had not fixed this flaw. It is even more concerning that we&#8217;re now in the midst of another tight presidential race, and Apple still has not taken any measures to mitigate the issue.<\/p>\n<p>Since it seems like this would be an easy thing for Apple to fix\u2014by simply disallowing user-input fields to be quoted as part of a link preview\u2014it&#8217;s difficult to imagine why Apple has allowed the flaw to persist for nearly six years after its discovery.<\/p>\n<p>We invited Apple to comment on this story, but company representatives had not responded by publication time. If Apple provides a statement, we will update this article.<a name=\"attackused\"><\/a><\/p>\n<h3>Has the attack been used against the 2024 election?<\/h3>\n<p>It is impossible to know with any degree of certainty whether this bug has been exploited to spread misinformation to Apple users about this (or any other) election, especially if it were used in carefully targeted, small-scale attacks.<\/p>\n<p>Although we have not yet been made aware of any real-world abuse of this exploit, we do know that this bug has been widely known for nearly six years, and Apple has chosen not to do anything about it. Apple&#8217;s neglect has left ample opportunity for foreign or domestic actors to engage in targeted campaigns to deceive individuals in specific communities or demographics, including in swing states.<\/p>\n<p>If you become aware of any real-world abuse of this bug for any unethical and illegal purposes, whether election interference, stock market manipulation, or otherwise, please <a href=\"https:\/\/www.ic3.gov\/Home\/FileComplaint\" target=\"_blank\" rel=\"noopener noreferrer\">report it to the FBI&#8217;s Internet Crime Complaint Center (IC3)<\/a>, share the details publicly to warn others, and consider leaving a detailed comment on this article. You can also contact the author of this article via direct message on <a title=\"X\/Twitter: @theJoshMeister\" href=\"https:\/\/x.com\/theJoshMeister\" target=\"_blank\" rel=\"noopener\">\ud835\udd4f\/Twitter<\/a> or <a title=\"Signal: @theJoshMeister.01\" href=\"https:\/\/signal.me\/#eu\/ZXKL_K6cEM_9tJGDlW-pTLpL9RqCTDOeLjn_2v1XW1hphOO-FNBGm4rH5fHjSw9p\" target=\"_blank\" rel=\"noopener\">Signal<\/a>.<a name=\"keys\"><\/a><\/p>\n<h3>Key takeaways<\/h3>\n<ul>\n<li>A flaw in Safari&#8217;s link-sharing feature allows user-added text to look like a real quote or headline from a trusted source.\n<ul>\n<li>This flaw can potentially be used for unethical purposes such as election interference, stock market manipulation, or spreading harmful misinformation that could endanger people.<\/li>\n<\/ul>\n<\/li>\n<li>Apple has known about this flaw for close to six years (to be more precise, about 5 years and 7.5 months) and has never fixed it. The bug has likely existed in the iOS version of Safari for more than six years.<\/li>\n<li>Sometime within the past few years, the flaw became exploitable on the Mac version of Safari. Previously, fake headlines could only be sent from iPhones, iPads, and iPod touches. (Mac users have always been able to be victims of this fake-headline flaw, though.)\n<ul>\n<li>We have confirmed that fake headlines can be <em>sent<\/em> from the Safari browser on iOS 12 through 18, all versions of iPadOS, macOS Sonoma, and macOS Sequoia.<\/li>\n<li>We have confirmed that fake headlines can be <em>viewed<\/em> in the Messages app on iOS 12 through 18, all versions of iPadOS, and macOS Catalina (10.15) through macOS Sequoia (15). This includes virtually all iPhones, iPads, and Macs that are in active use today; practically any Apple user can be a victim.<\/li>\n<\/ul>\n<\/li>\n<li>Sometime within the past few years, the flaw seems to have become compatible with more sites; we found examples of non-exploitable sites in October 2020, but the same sites were exploitable in October 2024.<\/li>\n<li>All current users of iPhones, iPads, and Macs should be made aware that allegedly quoted text or headlines in iMessage link previews may contain false or misleading information. Since Apple has neglected to fix this flaw for several years, it is incumbent upon responsible news media outlets and individuals to warn others who could become victims, and to put public pressure on Apple to finally take the flaw seriously and fix it. <strong>Please share this information to help raise awareness!<\/strong><\/li>\n<li>We have not received confirmation of this flaw being exploited for malicious purposes in real-world attacks. Nevertheless, it&#8217;s possible for small-scale, highly targeted attacks to avoid garnering attention.<\/li>\n<\/ul>\n<p><a name=\"learnmore\"><\/a><\/p>\n<h3>How can I learn more?<\/h3>\n<p>We covered this Safari flaw in the context of the 2020 election four years ago, in October 2020; you can read our coverage <a href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-neglects-to-fix-fake-headlines-bug-usable-for-election-interference\/\">here<\/a>:<\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"sMATiGUnuh\"><p><a href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-neglects-to-fix-fake-headlines-bug-usable-for-election-interference\/\">Apple neglects to fix &#8220;fake headlines&#8221; bug usable for election interference<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Apple neglects to fix &#8220;fake headlines&#8221; bug usable for election interference&#8221; &#8212; The Mac Security Blog\" src=\"https:\/\/www.intego.com\/mac-security-blog\/apple-neglects-to-fix-fake-headlines-bug-usable-for-election-interference\/embed\/#?secret=sMATiGUnuh\" data-secret=\"sMATiGUnuh\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p>You can also find our original coverage of this Safari bug, from February 2019, <a href=\"https:\/\/www.intego.com\/mac-security-blog\/ios-safari-flaw-allows-deceptive-web-page-previews-in-messages\/\">here<\/a>:<\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"UkCs8l7GyM\"><p><a href=\"https:\/\/www.intego.com\/mac-security-blog\/ios-safari-flaw-allows-deceptive-web-page-previews-in-messages\/\">iOS Safari flaw allows deceptive news headlines in Messages<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;iOS Safari flaw allows deceptive news headlines in Messages&#8221; &#8212; The Mac Security Blog\" src=\"https:\/\/www.intego.com\/mac-security-blog\/ios-safari-flaw-allows-deceptive-web-page-previews-in-messages\/embed\/#?secret=UkCs8l7GyM\" data-secret=\"UkCs8l7GyM\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p><a href=\"https:\/\/podcast.intego.com\/\" target=\"_blank\" rel=\"noopener\"><img class=\"alignleft\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/04\/intego-podcast-artwork-400.jpg\" alt=\"\" width=\"80\" \/><\/a>Each week on the <a href=\"https:\/\/podcast.intego.com\/\" target=\"_blank\" rel=\"noopener\"><strong>Intego Mac Podcast<\/strong><\/a>, Intego&#8217;s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to <a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/intego-mac-podcast\/id1293834627\" rel=\"noopener\"><strong>follow the podcast<\/strong><\/a> to make sure you don\u2019t miss any episodes.<\/p>\n<p>You can also subscribe to our <a href=\"https:\/\/www.intego.com\/mac-security-blog\/mac-security-newsletter\/\"><strong>e-mail newsletter<\/strong><\/a> and keep an eye here on <a href=\"https:\/\/www.intego.com\/mac-security-blog\"><strong>The Mac Security Blog<\/strong><\/a> for the latest Apple security and privacy news. And don&#8217;t forget to follow Intego on your favorite social media channels: <a href=\"https:\/\/x.com\/IntegoSecurity\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on \ud835\udd4f\/Twitter\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/X-Twitter-logo-icon-225.gif\" alt=\"Follow Intego on X\/Twitter\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.facebook.com\/Intego\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on Facebook\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/Facebook-logo-icon-225.gif\" alt=\"Follow Intego on Facebook\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.youtube.com\/user\/IntegoVideo?sub_confirmation=1\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(0, 0, 0, 0.2); border-radius: 8px;\" title=\"Follow Intego on YouTube\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/YouTube-logo-icon-225.png\" alt=\"Follow Intego on YouTube\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.pinterest.com\/intego\/\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(0, 0, 0, 0.2); border-radius: 8px;\" title=\"Follow Intego on Pinterest\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/Pinterest-logo-icon-225.png\" alt=\"Follow Intego on Pinterest\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/intego\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on LinkedIn\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/LinkedIn-logo-icon-225.gif\" alt=\"Follow Intego on LinkedIn\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.instagram.com\/intego_security\/\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on Instagram\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/Instagram-logo-icon-225.gif\" alt=\"Follow Intego on Instagram\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/intego-mac-podcast\/id1293834627\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow the Intego Mac Podcast on Apple Podcasts\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile.png\" alt=\"Follow the Intego Mac Podcast on Apple Podcasts\" width=\"16\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Apple has known about a \u201cfake headlines\u201d flaw in Safari for nearly 6 years, and has done nothing to fix it\u2014leaving it potentially exploitable for 2024 election interference and the spreading of other harmful misinformation.<\/p>\n","protected":false},"author":14,"featured_media":102009,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[13],"tags":[563,69,4741,4564,4742,3175,4740,4686,115,143],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"Apple has known about a \u201cfake headlines\u201d flaw in Safari for nearly 6 years, and has done nothing to fix it\u2014leaving it potentially exploitable for 2024 election interference and the spreading of other harmful misinformation.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Apple still hasn&#039;t fixed 6-year-old &quot;fake headlines&quot; flaw exploitable for election interference - The Mac Security Blog\" \/>\n<meta property=\"og:description\" content=\"Apple has known about a \u201cfake headlines\u201d flaw in Safari for nearly 6 years, and has done nothing to fix it\u2014leaving it potentially exploitable for 2024 election interference and the spreading of other harmful misinformation.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/JoshLong\" \/>\n<meta property=\"article:published_time\" content=\"2024-10-14T07:01:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-10-17T14:50:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/10\/election-2024-safari-fake-headline-exploit-v4-400x260-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"260\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@theJoshMeister\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Joshua Long\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/10\/election-2024-safari-fake-headline-exploit-v4-400x260-1.jpg\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/10\/election-2024-safari-fake-headline-exploit-v4-400x260-1.jpg\",\"width\":400,\"height\":260,\"caption\":\"2024 Safari 18 iOS 18 macOS Sequoia Fake Headlines Exploit Demonstration Bug usable for Election Interference and Misinformation\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/\",\"name\":\"Apple still hasn't fixed 6-year-old \\\"fake headlines\\\" flaw exploitable for election interference - The Mac Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#primaryimage\"},\"datePublished\":\"2024-10-14T07:01:24+00:00\",\"dateModified\":\"2024-10-17T14:50:30+00:00\",\"description\":\"Apple has known about a \\u201cfake headlines\\u201d flaw in Safari for nearly 6 years, and has done nothing to fix it\\u2014leaving it potentially exploitable for 2024 election interference and the spreading of other harmful misinformation.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Apple still hasn&#8217;t fixed 6-year-old &#8220;fake headlines&#8221; flaw exploitable for election interference\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\"},\"headline\":\"Apple still hasn&#8217;t fixed 6-year-old &#8220;fake headlines&#8221; flaw exploitable for election interference\",\"datePublished\":\"2024-10-14T07:01:24+00:00\",\"dateModified\":\"2024-10-17T14:50:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#webpage\"},\"wordCount\":1635,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/10\/election-2024-safari-fake-headline-exploit-v4-400x260-1.jpg\",\"keywords\":[\"iMessage\",\"iOS\",\"iOS 18\",\"iPadOS\",\"iPadOS 18\",\"macOS\",\"macOS Sequoia\",\"macOS Sonoma\",\"Safari\",\"Vulnerabilities\"],\"articleSection\":[\"Security &amp; Privacy\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\",\"name\":\"Joshua Long\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"caption\":\"Joshua Long\"},\"description\":\"Joshua Long (@theJoshMeister), formerly Intego\\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \\u2014\",\"sameAs\":[\"https:\/\/security.thejoshmeister.com\",\"https:\/\/www.facebook.com\/JoshLong\",\"https:\/\/www.instagram.com\/thejoshmeister\/\",\"https:\/\/www.linkedin.com\/in\/thejoshmeister\",\"https:\/\/www.pinterest.com\/thejoshmeister\/\",\"https:\/\/twitter.com\/theJoshMeister\",\"https:\/\/www.youtube.com\/@theJoshMeister\"],\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"Apple has known about a \u201cfake headlines\u201d flaw in Safari for nearly 6 years, and has done nothing to fix it\u2014leaving it potentially exploitable for 2024 election interference and the spreading of other harmful misinformation.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/","og_locale":"en_US","og_type":"article","og_title":"Apple still hasn't fixed 6-year-old \"fake headlines\" flaw exploitable for election interference - The Mac Security Blog","og_description":"Apple has known about a \u201cfake headlines\u201d flaw in Safari for nearly 6 years, and has done nothing to fix it\u2014leaving it potentially exploitable for 2024 election interference and the spreading of other harmful misinformation.","og_url":"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/","og_site_name":"The Mac Security Blog","article_author":"https:\/\/www.facebook.com\/JoshLong","article_published_time":"2024-10-14T07:01:24+00:00","article_modified_time":"2024-10-17T14:50:30+00:00","og_image":[{"width":400,"height":260,"url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/10\/election-2024-safari-fake-headline-exploit-v4-400x260-1.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_creator":"@theJoshMeister","twitter_misc":{"Written by":"Joshua Long","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/10\/election-2024-safari-fake-headline-exploit-v4-400x260-1.jpg","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/10\/election-2024-safari-fake-headline-exploit-v4-400x260-1.jpg","width":400,"height":260,"caption":"2024 Safari 18 iOS 18 macOS Sequoia Fake Headlines Exploit Demonstration Bug usable for Election Interference and Misinformation"},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/","name":"Apple still hasn't fixed 6-year-old \"fake headlines\" flaw exploitable for election interference - The Mac Security Blog","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#primaryimage"},"datePublished":"2024-10-14T07:01:24+00:00","dateModified":"2024-10-17T14:50:30+00:00","description":"Apple has known about a \u201cfake headlines\u201d flaw in Safari for nearly 6 years, and has done nothing to fix it\u2014leaving it potentially exploitable for 2024 election interference and the spreading of other harmful misinformation.","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"Apple still hasn&#8217;t fixed 6-year-old &#8220;fake headlines&#8221; flaw exploitable for election interference"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1"},"headline":"Apple still hasn&#8217;t fixed 6-year-old &#8220;fake headlines&#8221; flaw exploitable for election interference","datePublished":"2024-10-14T07:01:24+00:00","dateModified":"2024-10-17T14:50:30+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#webpage"},"wordCount":1635,"commentCount":0,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/10\/election-2024-safari-fake-headline-exploit-v4-400x260-1.jpg","keywords":["iMessage","iOS","iOS 18","iPadOS","iPadOS 18","macOS","macOS Sequoia","macOS Sonoma","Safari","Vulnerabilities"],"articleSection":["Security &amp; Privacy"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intego.com\/mac-security-blog\/apple-still-hasnt-fixed-6-year-old-fake-headlines-flaw-exploitable-for-election-interference\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1","name":"Joshua Long","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","caption":"Joshua Long"},"description":"Joshua Long (@theJoshMeister), formerly Intego\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \u2014","sameAs":["https:\/\/security.thejoshmeister.com","https:\/\/www.facebook.com\/JoshLong","https:\/\/www.instagram.com\/thejoshmeister\/","https:\/\/www.linkedin.com\/in\/thejoshmeister","https:\/\/www.pinterest.com\/thejoshmeister\/","https:\/\/twitter.com\/theJoshMeister","https:\/\/www.youtube.com\/@theJoshMeister"],"url":"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/"}]}},"jetpack_featured_media_url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/10\/election-2024-safari-fake-headline-exploit-v4-400x260-1.jpg","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-qwL","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/101975"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=101975"}],"version-history":[{"count":18,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/101975\/revisions"}],"predecessor-version":[{"id":102096,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/101975\/revisions\/102096"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media\/102009"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=101975"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=101975"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=101975"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}