One month after a group of Chinese researchers exploited a critical WebKit bug to break into — and hijack private data — from a fully patched iPhone, Apple has shipped a Safari update to fix the vulnerability.
The patch, available for Safari 6.1.1 and Safari 7.0.1, fixes a total of nine security vulnerabilities, the most serious of which allows malicious hackers to launch drive-by downloads using rigged Web sites.
The new Safari update comes just over a month after Keen Team, a group of Chinese researchers, demonstrated two iPhone exploits via Safari to capture Facebook credentials (iOS version 7.0.3) and hijack photographs (iOS aversion 6.1.4).
Keen Team’s exploits were delivered as part of the Mobile Pwn2Own hacking challenge at the PacSecWest security conference in Japan.
Here’s the explanation from HP, one of the Pwn2Own sponsors:
The first was an application exploit. Via Safari, the team were able to steal a Facebook cookie that was then exfiltrated and used to compromise the targeted Facebook account from another machine. In order for the exploit to work, a user would need to click on a link in an email, an SMS, or a web page, so some social engineering would be required to prompt a user to take an action before their credentials could be compromised.
According to documentation from Apple, the security holes resided in WebKit. The company confirmed that visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
The Safari update also includes a patch for a bug that disclosed user credentials to an unexpected site via autofill.
“Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. This issue was addressed through improved origin tracking,” Apple explained.