When Apple pushed out its most recent round of patches last week it fixed a cookie vulnerability that existed in all versions of Safari, including those that run on iOS, OS X, and Windows. According to researchers who dug it up, the number of affected devices may total one billion.
The issue – present in Webkit – is technically a cross-domain vulnerability, meaning that an attacker could rig web content to bypass some of the normal cross-domain restrictions when a user views it. The attacker could then use that access to modify HTTP cookies on a website.
The problem, according to the researcher who found the issue, Jouko Pynnönen of the Finnish firm Klikki Oy, lies in the way that Safari previously handled its FTP URL scheme. Klikki Oy, which has found a handful of other bugs over the last several months, including a critical XSS vulnerability in WordPress, notified Apple of the bug on January 27.
The browser allows HTML documents to be accessed via URLs beginning with ftp:// – like ftp://user:password. This can be an issue when encoded characters are used in place of the password however, according to Pynnönen, who says that in some cases the URL could be misinterpreted to come from an attacker’s site and not the target site.
The line ftp://user%40attacker.com%2Fexploit.firstname.lastname@example.org/ should refer to a file on Apple.com, but when read incorrectly and loaded by a vulnerable version of Safari, Pynnönen claims the network layer uses an “extraneously decoded version of the URL:”
“The document would be loaded from attacker.com, not apple.com,” Pynnönen writes, “Yet the document properties such as “document.domain” and “document.cookie” are correctly initialized using ‘apple.com.'”
Pynnönen points out that while cookies could be spoofed in the attack, an attacker could also spoof the document.domain property, which could potentially lead to the compromise of other resources, but unless patched, the cookie issue in Safari is the most practical to exploit.
Apple Fixes Cookie Access Vulnerability in Billions of Safari Devices via @ThreatpostTweet
While Pynnönen couldn’t test the vulnerability on all builds, he did find it was present in Safari 7.0.4 on OS X 10.9.3, Safari on iPhone 3GS, iOS 6.1.6, Safari on an iOS 8.1 simulator, and Safari 5.1.7 on Windows 8.1. Users can test whether or not the version of Safari they’re using is vulnerable by clicking through to a test site Pynnönen set up this week:
Apple fixed the issue (CVE-2015-1126) by adding what it calls improved URL decoding to WebKit’s credential handling. The Cupertino giant also fixed a handful of other bugs, including a proxy manipulation attack in iOS, and multiple kernel vulnerabilities in OS X, in updates it pushed last week.