So much for iPhones’ vaunted iron-clad security: The latest scareware scam exploited a bug in the Safari browser’s mobile version to hold iOS users hostage until they paid a fine, ostensibly for viewing “illegal pornography.”

According to the blog maintained by mobile security software provider Lookout, scammers planted surreptitious code on “a large number” of websites they created to hawk porn and other “controversial content.” The code exploited the way Safari rendered JavaScript popup windows, creating an endless loop of popups that made the browser useless.

The persistent popups demanded the user pay a fine of £100, in the form of an iTunes gift card code, via SMS.

Fortunately, the malicious code stayed within the app’s sandbox instead of escaping to wreak havoc in the phone’s operating system, data storage or other apps. In fact, according to Lookout researchers Andrew Blaich, Jeremy Richards and Kristy Edwards, users could disable the attack simply by clearing their browser’s cache. (To do that, go to Settings > Safari > Clear History and Website Data.)

“The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk,” the researchers wrote in the blog post.

Lookout researchers discovered the attack “in the wild” in February and reported the vulnerability to Apple. The code appears to have exploited a flaw present ever since iOS 8. Apple closed the vector in iOS 10.3, which it pushed to iPhones on March 27.

The iPhone porn-ransom scam is similar to a 2014 attack on Android phones.