When Apple pushed out iOS 9.2.1 earlier this week, it fixed a nasty bug that lingered in the wild for nearly three years and could have let an attacker steal cookies and impersonate victims.
The problem stems from the little windows that pop up when you connect to a public WiFi network according to Skycure, an Israeli mobile security firm that first reported the issue way back in June 2013.
Yair Amit and Adi Sharabani, researchers with Skycure, discovered the issue and discussed it in a blog post Wednesday.
The window that pops up – the embedded browser that asks users to log in via an HTTP interface – creates a vulnerability by sharing its cookie store with Safari. If an attacker created their own public WiFi network and got an unsuspecting victim to join, they could redirect the user to an HTTP site of their choice.
The embedded browser shares the same “Cookie Store” as Safari, and in turn, can load malicious Javascript of the attacker’s choosing.
This opens the user up to a handful of issues – not only can the attacker steal cookies associated with a site, they can also carry out something called a session fixation attack, and log the user into an account controlled by the attacker.
An attacker could also perform a cache-poisoning attack by returning an HTTP response with caching headers. Every time the victim connects to that site down the line, via Safari on iOS, the poisoned cache could be executed.
Amit and Skycure are encouraging users and organizations to update to the latest version, which fixes the issue in iOS by isolating Cookie Store for all Captive Portals.
It’s not the first time researchers with the firm have dug up vulnerabilities in iOS. Last year, at RSA, Amit and Sharabani demonstrated a SSL certificate parsing vulnerability in iOS 8. Two years ago they discovered an issue that could get iOS devices to automatically join rogue WiFi networks.