Apple has fixed a serious vulnerability in the iOS operating system that could be exploited by hackers to impersonate users who visit websites that use unencrypted authentication cookies.
The issue resides in the implementation of a cookie store iOS shares between the Safari browser and a separate embedded browser used. The cookie store is used by OS to negotiate “captive portals” that are displayed by many Wi-Fi networks when a user makes a first access. Captive portals generally require people to authenticate themselves or agree to terms of service before they can gain access to the network.
The captive portals use to request a user’s authentication or the explicit agreement to terms of service before a user can join the network.
“The new vulnerability identified by Skycure involves the way iOS handles Cookie Stores when dealing with Captive Portals. When iOS users connect to a captive-enabled network (commonly used in most of the free and paid Wi-Fi networks at hotels, airports, cafes, etc.), a window is shown automatically on users’ screens, allowing them to use an embedded browser to log in to the network via an HTTP interface. As part of Skycure’s continuous research on network-based attacks against mobile devices, we found that the embedded browser used for Captive Portals creates a vulnerability by sharing its cookie store with Safari, the native browser of iOS.” reads a blog post published by Skycure.
The attack scenario sees a threat actor that is setting up a booby-trapped captive portal and associate it with a Wi-Fi network. When a users with a vulnerable iOS device, iPhone or iPad, connects to the network an attacker could exploit the issue to steal any HTTP cookie stored on the device.
Below the attack scenario described by Skycure:
The researchers privately reported the critical flaw to Apple in June 2013, the issue has been fixed with the release of iOS 9.2.1.
(Security Affairs – Asacub trojan, cybercrime)