The security researcher Jouko Pynnönen at Finnish firm Klikki Oy, has discovered a since patched bug (CVE-2015-1126) that could potentially affect a billion Apple iDevices. The cross-domain vulnerability affects Safari’s file transfer URL schemes and could be exploited by attackers to create specially crafted web page which, when visited by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website.
“An attacker could create web content which, when viewed by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website.” Pynnönen wrote in a security advisory. “Most websites which allow user logins store their authentication information (usually session keys) in cookies. Access to these cookies would allow hijacking authenticated sessions. All tested Safari versions on iOS, OS X, and Windows were vulnerable. The number of affected devices may be of the order of one billion.”
The researcher explained that the Safari browser running on iOS 8.1, 6.1.6, and versions 7.0.4 and 5.1.7 on OS X 10.9.3 and Windows 8.1 are vulnerable.
when the user or password fields include encoded special characters. By manipulating the URL, the attacker can allow documents to be loaded from their sites.
Pynnönen provided the following example URL as PoC
using a vulnerable version will cause the loading of a document from the website attacker.com controlled by the attackers, meanwhile patched browsers would pull a document from Apple. A vulnerable browser will decode the URL in:
The attack can be run by embedding IFRAME pointing to an FTP URL in an apparently harmless webpage.
The vulnerability is Safari was fixed byApple, users can check is their browser is vulnerable using the Safari cookie vulnerability test published by Pynnönen.
(Security Affairs – Apple Safari, iThings)