Surfing the web can leave you open to ad hijackings. A browser fix has been slow

Rob Pegoraro | Special for USA TODAY

Show Caption Hide Caption Unilever threatens online ad cuts from Facebook and Google Consumer goods giant Unilever, one of the world's biggest advertisers, has threatened to pull investment from digital platforms such as Facebook and Google that "create division" in society or fail to protect children. Laura Frykberg reports Video provided by Reuters

Trying to read a story on the Web can send your browser on a one-way detour to scamville—like a bogus offer of a free iTunes gift card or a phony warning of malware infection on your machine—that you can only escape by closing the current browser tab or quitting the entire browser.

The technical term for this page hijacking is a “forced redirect,” but your description may run longer and involve multiple expletives. Think something like “this [bleep] ad just popped in front of what I was reading, and now the [bleep] back button doesn’t get me away from it!”

The experience can be sufficiently invasive to make you think your computer or phone fell victim to some treacherous new hack.

But forced-redirect ads only exploit standard Web scripting code to do their work. The con artists behind them only take advantage of advertising networks that can’t or won’t police which companies buy up ad spots, much to the irritation of Web publishers who never wanted this garbage next to stories on their sites.

Curing the Web of ad fraud remains a tall order, but Google has a software fix for forced-redirect ads. In November, it touted a feature in the upcoming Chrome 64 release of its browser that “will keep the user on the page they were reading, and prevent those surprising redirects.”

But when Chrome 64 shipped in late January, the defense that had showed up in its beta release was not switched on.

A bug-tracking thread reveals that activating this feature got bumped once to Chrome 65, due in early March, and then a second time to Chrome 66, now projected for mid April.

Google did not answer questions sent Friday asking about reasons for this holdup.

Unfortunately, the other major browsers—Apple’s Safari, Microsoft’s Edge, and Mozilla Firefox—have yet to implement their own defenses against forced redirects, even though Safari and Firefox already surpass competitors in protecting online privacy.

More: For Mac, Windows and Chrome users, there's a thin silver lining to the big chip security flaw

More: Use Google Chrome? You may start seeing fewer ads

More: Curb how Facebook, Google and Amazon use your personal data in a quick privacy clean-up

“Disappointing” was the one-word summary of Jerome Dangu, chief technical officer of Confiant, a New York-based ad-security firm that published a report last month uncovering how online crooks set up more than two dozen fake ad agencies to seed forced-redirect ads across the Web.

Apple did not answer a question about plans to add any redirect blocking, while Microsoft provided a generic assurance that it “will continue to deliver improvements and innovations” to Edge. Mozilla Foundation product vice president Nick Nguyen said in a forwarded statement that activating that browser’s “Tracking Protection” feature would block some redirecting ads.

Adventurous Chrome users can activate the anti-redirect option through a hidden interface in Google’s browser. Copy and paste or type in the address “chrome://flags/#enable-framebusting-needs-sameorigin-or-usergesture” and then select “Enabled” from the menu to the right of that page’s first item before relaunching the browser.

Otherwise, when a ripoff ad takes over a page without permission, you’re left with the same recourse as ever: Close that tab or quit the entire browser, then return to the original site and hope you don’t get hijacked this time.

Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, e-mail Rob at rob@robpegoraro.com. Follow him on Twitter at twitter.com/robpegoraro.