News Categories

Apple issues fix for cookie bug that allows identity impersonation with iOS 9.2.1

By Michael Low & Liu Hongzuo - on 21 Jan 2016, 12:00pm

Apple issues fix for cookie bug that allows identity impersonation with iOS 9.2.1

If you’ve yet to update your iPhone or iPad’s firmware to iOS 9.2.1, you should really get it done as soon as possible. This update doesn’t simply improves memory handling for a couple of background processes, it also fixes a three-year long flaw that can allow hackers to impersonate a user while on a website, and rewrite their browser’s cookies to execute malicious processes.

According to Ars Technica, the vulnerability happens because iOS had shared cookie stores for Safari browser and a separate embedded browser. This embedded browser handles 'captive portals' – which is the landing page you get when you log onto free Wi-Fi at certain places such as airports and hotels.

Israeli security firm Skycure shared how attackers with malicious intent can abuse this shared setup. Any attacker needs to create a public Wi-Fi network that makes nearby victims join in, which they can trigger the captive portal process. Instead of bringing the user to the correct in-built Apple captive portal process, the user will be instead redirected to a malicious site that can also trigger the captive portal process. The attacker can then load malicious content into the device through that now vulnerable shared cookie store, executing it any malicious content loaded from this method.

With that done, the attacker compromise your phone in the following ways, as detailed by Skycure:

  • Steal users’ (HTTP) cookies associated with a site of the attacker’s choice. By doing so, the attacker can then impersonate the victim’s identity on the chosen site.
  • Perform a session fixation attack, logging the user into an account controlled by the attacker – because of the shared Cookie Store, when the victims browse to the affected website via Mobile Safari, they will be logged into the attacker’s account instead of their own.
  • Perform a cache-poisoning attack on a website of the attacker’s choice (by returning an HTTP response with caching headers). This way, the attacker’s malicious JavaScript would be executed every time the victim connects to that website in the future via Mobile Safari.

Image credit: Forbes.

The threat of this attack stems from how automatic the entire process can be, and it was discovered by Skycure since June 2013. However, Apple managed a fix in iOS 9.2.1, giving cookies of captive portals their own isolated cookie store, preventing it from gaining direct access to your Safari’s browser cookie store. While it won’t stop the attackers, it would at least make the process less automated than it was.

Source: Skycure via Ars Technica, Apple.