Apple has fixed a critical vulnerability in its iOS operating system that allowed hackers to impersonate end users.
Apple has fixed a serious vulnerability in the iOS operating system that could be exploited by hackers to impersonate users who visit websites that use unencrypted authentication cookies.
The issue resides in the implementation of a cookie store iOS shares between the Safari browser and a separate embedded browser used. The cookie store is used by OS to negotiate “captive portals” that are displayed by many Wi-Fi networks when a user makes a first access. Captive portals generally require people to authenticate themselves or agree to terms of service before they can gain access to the network.
The captive portals use to request a user’s authentication or the explicit agreement to terms of service before a user can join the network.
“The new vulnerability identified by Skycure involves the way iOS handles Cookie Stores when dealing with Captive Portals. When iOS users connect to a captive-enabled network (commonly used in most of the free and paid Wi-Fi networks at hotels, airports, cafes, etc.), a window is shown automatically on users’ screens, allowing them to use an embedded browser to log in to the network via an HTTP interface. As part of Skycure’s continuous research on network-based attacks against mobile devices, we found that the embedded browser used for Captive Portals creates a vulnerability by sharing its cookie store with Safari, the native browser of iOS.” reads a blog post published by Skycure.
The attack scenario sees a threat actor that is setting up a booby-trapped captive portal and associate it with a Wi-Fi network. When a users with a vulnerable iOS device, iPhone or iPad, connects to the network an attacker could exploit the issue to steal any HTTP cookie stored on the device.
Below the attack scenario described by Skycure:
Attacker creates a public Wi-Fi network and waits for victims
A victim passes by the malicious Wi-Fi area and joins the network (this can be done manually by the victim or their devices can be tricked into joining the network automatically by utilizing Karma or WiFiGate attacks)
Attacker redirects the Apple Captive request (http://www.apple.com/library/test/success.html) to an HTTP website of his/her choice, thereby triggering the iOS Captive Network embedded browser screen to automatically open
The researchers privately reported the critical flaw to Apple in June 2013, the issue has been fixed with the release of iOS 9.2.1.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.