Pierluigi Paganini January 21, 2016

Apple has fixed a critical vulnerability in its iOS operating system that allowed hackers to impersonate end users.

Apple has fixed a serious vulnerability in the iOS operating system that could be exploited by hackers to impersonate users who visit  websites that use unencrypted authentication cookies.

The issue resides in the implementation of a cookie store iOS shares between the Safari browser and a separate embedded browser used. The cookie store is used by OS to negotiate “captive portals” that are displayed by many Wi-Fi networks when a user makes a first access. Captive portals generally require people to authenticate themselves or agree to terms of service before they can gain access to the network.

The captive portals use to request a user’s authentication or the explicit agreement to terms of service before a user can join the network.

“The new vulnerability identified by Skycure involves the way iOS handles Cookie Stores when dealing with Captive Portals. When iOS users connect to a captive-enabled network (commonly used in most of the free and paid Wi-Fi networks at hotels, airports, cafes, etc.), a window is shown automatically on users’ screens, allowing them to use an embedded browser to log in to the network via an HTTP interface. As part of Skycure’s continuous research on network-based attacks against mobile devices, we found that the embedded browser used for Captive Portals creates a vulnerability by sharing its cookie store with Safari, the native browser of iOS.” reads a blog post published by Skycure.

The attack scenario sees a threat actor that is setting up a booby-trapped captive portal and associate it with a Wi-Fi network. When a users with a vulnerable iOS device, iPhone or iPad, connects to the network an attacker could exploit the issue to steal any HTTP cookie stored on the device.

Below the attack scenario described by Skycure:

• Attacker creates a public Wi-Fi network and waits for victims
• A victim passes by the malicious Wi-Fi area and joins the network (this can be done manually by the victim or their devices can be tricked into joining the network automatically by utilizing Karma or WiFiGate attacks)
• Attacker redirects the Apple Captive request (http://www.apple.com/library/test/success.html) to an HTTP website of his/her choice, thereby triggering the iOS Captive Network embedded browser screen to automatically open
• The embedded browser, which shares the same Cookie Store of Mobile Safari, loads Attacker-controlled content (which can contain malicious Javascript) and executes it

“Perform a cache-poisoning attack on a website of the attacker’s choice (by returning an HTTP response with caching headers). This way, the attacker’s malicious JavaScript would be executed every time the victim connects to that website in the future via Mobile Safari.” is another attack option described by the researcher at Skycure.

The researchers privately reported the critical flaw to Apple in June 2013, the issue has been fixed with the release of iOS 9.2.1.

Pierluigi Paganini & Elsio Pinto (@high54security)

(Security Affairs – Asacub trojan, cybercrime)