Apple has fixed a critical vulnerability in its iOS operating system that allowed hackers to impersonate end users.
Apple has fixed a serious vulnerability in the iOS operating system that could be exploited by hackers to impersonate users who visit websites that use unencrypted authentication cookies.
The issue resides in the implementation of a cookie store iOS shares between the Safari browser and a separate embedded browser used. The cookie store is used by OS to negotiate “captive portals” that are displayed by many Wi-Fi networks when a user makes a first access. Captive portals generally require people to authenticate themselves or agree to terms of service before they can gain access to the network.
The captive portals use to request a user’s authentication or the explicit agreement to terms of service before a user can join the network.
“The new vulnerability identified by Skycure involves the way iOS handles Cookie Stores when dealing with Captive Portals. When iOS users connect to a captive-enabled network (commonly used in most of the free and paid Wi-Fi networks at hotels, airports, cafes, etc.), a window is shown automatically on users’ screens, allowing them to use an embedded browser to log in to the network via an HTTP interface. As part of Skycure’s continuous research on network-based attacks against mobile devices, we found that the embedded browser used for Captive Portals creates a vulnerability by sharing its cookie store with Safari, the native browser of iOS.” reads a blog post published by Skycure.
The attack scenario sees a threat actor that is setting up a booby-trapped captive portal and associate it with a Wi-Fi network. When a users with a vulnerable iOS device, iPhone or iPad, connects to the network an attacker could exploit the issue to steal any HTTP cookie stored on the device.
Below the attack scenario described by Skycure:
- Attacker creates a public Wi-Fi network and waits for victims
- A victim passes by the malicious Wi-Fi area and joins the network (this can be done manually by the victim or their devices can be tricked into joining the network automatically by utilizing Karma or WiFiGate attacks)
- Attacker redirects the Apple Captive request
- (http://www.apple.com/library/test/success.html) to an HTTP website of his/her choice, thereby triggering the iOS Captive Network embedded browser screen to automatically open
The researchers privately reported the critical flaw to Apple in June 2013, the issue has been fixed with the release of iOS 9.2.1.
- SplashData Has Published The List Of Worst Passwords In 2015
- Kali Linux Tutorial: Information Gathering Using TheHarvester
- Practical Tutorial For Best 15 Pentest Tools In Kali Linux 2.0