Apple with New Patches to Fix Cookie Vulnerability in Safari

Apple with New Patches to Fix Cookie Vulnerability in Safari

As of April 8th, 2015, Apple released its most recent round of patches which also fixed a cookie vulnerability that existed in all versions of Safari and could have affected a total of one billion devices.

The Cookie Vulnerability

Jouko Pynnönen of the Finnish firm Klikki Oy is the researcher who first discovered the cookie flow and reported it to Apple on January 27. According to him, the flow is a result of how Safari handled its previous FTP URL scheme.

In his blog post he explained, “An attacker could create web content which, when viewed by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website.”

He also added, “Most websites which allow user logins store their authentication information (usually session keys) in cookies. Access to these cookies would allow hijacking authenticated sessions. Cookies can also contain other sensitive information.”

In addition, attackers can compromise normal web pages simply by embedding an iframe linked to an FTP URL.

Affected Versions of iOS

Pynnönen could not test the cookie bug on all builds, but he reported that the vulnerability affected most Safari versions: Safari 7.0.4 on OS X 10.9.3; Safari on iPhone 3GS, iOS 6.1.6; Safari on iOS 8.1 simulator, and Safari 5.1.7 on Windows 8.1.

How to Avoid Attacks of This Sort

According to Pynnönen, “One way to stop such attacks (e.g. for older devices with no available patch) would be to deny all traffic to the public internet and configure the device to use a HTTP proxy located in the internal network. This should prevent access to all FTP URLs. “