Site icon The Mac Security Blog

Update Your iOS Devices – Your Cookies May Be at Risk!

If you own an iPhone or iPad chances are that you already know that there is an update to iOS available. With a few presses your device should be downloading iOS 9.2.1 which, according to Apple, includes a number of under-the-hood performance improvements and bug fixes.

If you bothered to read the update dialog on your iDevice, you will have seen that iOS 9.2.1 addresses a bug that was causing headaches for businesses using Mobile Device Management.

But, of course, that wasn’t the only issue that the new version of iOS aims to resolve. As researchers at Skycure explain, iOS 9.2.1 tackles a vulnerability that has potentially left iPhones and iPads open to abuse for at least the last 2.5 years.

The flaw, known as CVE-2016-1730, is described at the bottom of Apple’s advisory about the security content in the new version of iOS:

WebSheet

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious captive portal may be able to access the user’s cookies

Description: An issue existed that allowed some captive portals to read or write cookies. The issue was addressed through an isolated cookie store for all captive portals.

CVE-ID
CVE-2016-1730 : Adi Sharabani and Yair Amit of Skycure

From that brief description it may be difficult to determine precisely what the problem was, so I’ll do my best to explain.

When you connect to the Wi-Fi at your local coffee shop or in the airport departure lounge, you usually find that your iPhone or iPad is redirected to a special login page. This is known as a “captive portal,” and is triggered by your device making a request to the url http://www.apple.com/library/test/success.html

If the request is redirected to a third-party page then Apple knows that the providers of the wireless connectivity have put a portal in place, and a dialog box is displayed via an embedded browser giving you the opportunity to login.

So far, so good.

But, back in June 2013, Skycure discovered that the embedded browser used to display captive portals had a vulnerability, which saw private cookies already stored in the user’s mobile Safari browser shared with the captive portal, and vice versa.

As Skycure’s Yair Amit explains, the vulnerability opens opportunities for attackers to do a number of things:

If abused, the consequences clearly could have been serious.

Apple has apparently taken 2.5 years to roll out a fix for this problem, as Skycure first informed them in June 2013. According to the researchers “this is the longest it has taken Apple to fix a security issue reported by us,” but they do acknowledge that the fix was “more complicated than one would imagine” and that Apple was receptive and responsive to the issue.

I guess we all have to be grateful that Skycure was patient, and wasn’t tempted to go public about the flaw before Apple had rolled out a fix — even though it must have been frustrating quite so long.

Because, if Skycure had acted like some other vulnerability researchers have in the past, there is no doubt in my mind that this flaw might have been more widely exploited by malicious hackers.

Share this: