Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Apple Fixes 3-Year Old Cookie Store Vulnerability in iOS

Apple on Tuesday patched multiple security flaws in iOS, OS X, and Safari, including a Cookie Stores vulnerability in iOS that was initially reported in June 2013, researchers at Skycure reveal.

Apple on Tuesday patched multiple security flaws in iOS, OS X, and Safari, including a Cookie Stores vulnerability in iOS that was initially reported in June 2013, researchers at Skycure reveal.

The security issue, CVE-2016-1730, was found by Skycure’s Adi Sharabani and Yair Amit and involved the way iOS handles Cookie Stores when dealing with Captive Portals. Attackers could exploit the flaw via a public Wi-Fi network and could load and execute malicious content on the victim’s device, Skycure’s Yair Amit explained in a blog post.

According to Amit, when a user connects to public network, or a captive-enabled network, the iOS device displays a window that allows its owner to use an embedded browser to login to the network via an HTTP interface. However, the embedded browser was found to share its cookie store with Safari, the native browser in iOS.

Captive-enabled networks are wide spread, being commonly used in most free and paid Wi-Fi networks in public places such as hotels, airports, restaurants, and the like. Thus, the sharing of the cookie store between the two browsers creates a vulnerability that can be used in network-based attacks against mobile devices, Skycure warns.

To exploit the vulnerability, an attacker would have to create a public Wi-Fi network and wait for the victim to join the network. Next, the attacker redirects the Apple Captive request to an HTTP website of their choice, which triggers the iOS Captive Network embedded browser screen to open and results in the embedded browser loading attacker-controlled content and executing it.

By exploiting the issue, an attacker can steal user’s HTTP cookies associated with a site of the attacker’s choice, allowing the attacker to impersonate the victim’s identity on the chosen site. Furthermore, Skycure says the perpetrator can perform a session fixation attack, logging the user into an account they control, because the shared cookie stores ensures that the victim is redirected even when using Safari.

Cybercriminals could also use the exploit to perform a cache-poisoning attack on a website of their choice by returning an HTTP response with caching headers, allowing malicious content (JavaScript) to be executed every time the victim connects to that website in the future via Safari on the mobile device.

According to Amit, the attack is effective because the attacker can have the embedded-browser automatically opened on the victim’s device by leveraging captive-networks handling by iOS. However, the attack can be performed with similar characteristics even when the user opens Safari to log in to the network.

Advertisement. Scroll to continue reading.

Apple was informed on this issue on June 3, 2013, but the company took over two years and a half to release a patch for it, the security firm says.  Skycure’s researchers note that, while this is the longest it has taken Apple to fix a vulnerability they reported, the fix for the issue was “more complicated than one would imagine” and that Apple was very receptive and responsive.

The newly released iOS 9.2.1 employs an isolated Cookie Store for all Captive Portals, which remediates the issue. iOS device owners are advised to download and install the platform upgrade as soon as possible, to ensure they remain protected against this and other flaws.

With the release of iOS 9 last year, Apple improved many aspects pertaining to the security of its mobile devices, including the “sideloading” process, which boosts app security, and two-factor authentication. In September, the company also resolved a flaw in its over-the-air file sharing technology, AirDrop, which allowed attackers to target victims in their close proximity.

Since then, the technology giant patched over one hundred bugs in the mobile platform, including nearly 50 vulnerabilities resolved in the October round of updates, and 50 security holes plugged in December.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.