A flaw has been uncovered in the way Apple iOS handles cookie stores when dealing with Wi-Fi hotspots.
The vulnerability opens up iPhone users to a raft of problems. For instance, attackers could steal users’ (HTTP) cookies associated with a site of the attacker’s choice. By doing so, the attacker can then impersonate the victim’s identity on the chosen site. He or she could also perform a session fixation attack, logging the user into an account controlled by the attacker. When the victims browse to an affected website via mobile Safari, they will be logged into the attacker’s account instead of their own.
And, attackers could perform a cache-poisoning attack on a website of the attacker’s choice, so that malicious JavaScript would be executed every time the victim connects to that website in the future via mobile Safari.
Adi Sharabani and Yair Amit identified the security issue (CVE-2016-1730), which was just officially fixed by Apple as part of iOS 9.2.1. They found that when iOS users connect to a captive-enabled network (commonly used in most of the free and paid Wi-Fi networks at hotels, airports, cafes, etc.), a window is shown automatically on users’ screens, allowing them to use an embedded browser to log in to the network via an HTTP interface. But, the embedded browser used for captive portals creates a vulnerability by sharing its cookie store with Safari.
An attacker can exploit the issue fairly easily. He or she would set up a rogue public hotspot and wait for victims. Once someone attaches to the network, the attacker can simply redirect the Apple captive request to an HTTP website of his/her choice, thereby triggering the iOS captive network embedded browser screen to automatically open.
“The fact the attacker can automatically open the embedded-browser…makes the attack automatic and more effective,” Amit said.
Starting with iOS 9.2.1, iOS employs an isolated cookie store for all captive portals. Users should apply the update as soon as possible.
Photo © Alexey Boldin/Shutterstock.com