Apple Patches Safari Cookie Vulnerability

A security researcher in Finland has revealed the details of a potentially nasty flaw with Apple’s Safari web browser.

It comes after Apple patched the flaw with its Safari 8.0.5 update last week.

Flawed

“The 4/8/2015 security updates from Apple included a patch for a Safari cross-domain vulnerability,” blogged Jouko Pynnönen, from Finnish security firm Klikki Oy.

An attacker could create web content which, when viewed by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website,”  Pynnönen wrote.

“Most websites which allow user logins store their authentication information (usually session keys) in cookies. Access to these cookies would allow hijacking authenticated sessions. Cookies can also contain other sensitive information,” he warned.

It seems the problem affected all versions of the Safari web browser, on iOS, OS X, and Windows machines. This includes Safari 7.0.4 on OS X 10.9.3; Safari on iPhone 3GS, iOS 6.1.6; Safari on iOS 8.1 simulator; and Safari 5.1.7 on Windows 8.1.

“The number of affected devices may be of the order of 1 billion,” he warned.

So how does the vulnerability work? Well, Pynnönen pointed out that Safari supports the FTP URL scheme that allows HTML documents to be accessed via URLs beginning with “ftp://”. These URLs can be of the form ftp://user:password@host/path. The problem arises when encoded special characters are used in the user or password parts.

For example, consider the following URL:
ftp://user%40ftp.attacker.tld%2Fexploit.html%23@apple.com/

If correctly interpreted, the URL refers to a document on apple.com. However, when loaded by a vulnerable browser, the network layer uses an extraneously decoded version of the URL:

ftp://user@ftp.attacker.tld/exploit.html#apple.com/

The document would be loaded from ftp.attacker.tld, not apple.com. Yet the document properties such as document.domain and document.cookie are correctly initialised using apple.com.

The attacker-supplied document, exploit.html, can therefore access and modify cookies belonging to apple.com via JavaScript.

Worried Safari users can check if their browser has the vulnerability by using the following vulnerability checker here.

Security Record

Apple generally has a good reputation, although there have been a number of problems to do with the Safari web browser over the years.

This time last year for example, Apple had to patch 27 bugs in Safari that could have allowed hackers to target Safari users via specially-crafted sites

And last August, Apple had to issue a security update for Safari that fixed a WebKit vulnerability that could have allowed the execution of arbitrary code if a user visited a malicious website.

Other problems with Safari have also been exposed in the past which has resulted in Apple issuing patches.

Are you a security expert? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago