Apple Squashes the iOS Cookie Thief – Enabled Hackers to Impersonate Users


Apple has fixed a three-year old security vulnerability in iOS that enabled hackers to impersonate users connecting to websites using public WiFi networks.

ios security XcodeGhost

Apple gets rid of the iOS cookie thief:

Initially reported in June 2013, the vulnerability was a result of a cookie store iOS shared between the Safari browser and another embedded browser used to negotiate "captive portals". According to security researchers, when an iOS user connected to a public network, or a "captive-enabled" network, the iOS device displayed a window allowing network owner to use an embedded browser to login to the network. However, this embedded browser was found guilty of sharing its cookie store with Safari, the native browser.

These captive portals are displayed by many WiFi networks when a user is joining the network, asking them to authenticate themselves and/or agree to the terms of service. The shared cookie store made it possible for hackers to impersonate end users. Connected to an unencrypted network, hackers could have stolen any HTTP cookie stored on the iPhone or iPad.

This issue allows an attacker to:

  • Steal users’ (HTTP) cookies associated with a site of the attacker’s choice. By doing so, the attacker can then impersonate the victim’s identity on the chosen site.
  • Perform a session fixation attack, logging the user into an account controlled by the attacker–because of the shared Cookie Store, when the victims browse to the affected website via Mobile Safari, they will be logged into the attacker’s account instead of their own.
  • Perform a cache-poisoning attack on a website of the attacker’s choice (by returning an HTTP response with caching headers). This way, the attacker’s malicious JavaScript would be executed every time the victim connects to that website in the future via Mobile Safari.

Discovered by Skycure security researchers, the vulnerability was reported to Apple back in June 2013. iOS 9.2.1 fixed the exploit along with various other vulnerabilities in iOS and Safari. The new update now provides an isolated cookie store for captive portals, having no shared resources between the native and embedded browsers.