Security researcher reveals Safari browser bug that could have affected up to one billion Apple devices
A security researcher in Finland has revealed the details of a potentially nasty flaw with Apple’s Safari web browser.
It comes after Apple patched the flaw with its Safari 8.0.5 update last week.
An attacker could create web content which, when viewed by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website,” Pynnönen wrote.
“Most websites which allow user logins store their authentication information (usually session keys) in cookies. Access to these cookies would allow hijacking authenticated sessions. Cookies can also contain other sensitive information,” he warned.
It seems the problem affected all versions of the Safari web browser, on iOS, OS X, and Windows machines. This includes Safari 7.0.4 on OS X 10.9.3; Safari on iPhone 3GS, iOS 6.1.6; Safari on iOS 8.1 simulator; and Safari 5.1.7 on Windows 8.1.
“The number of affected devices may be of the order of 1 billion,” he warned.
So how does the vulnerability work? Well, Pynnönen pointed out that Safari supports the FTP URL scheme that allows HTML documents to be accessed via URLs beginning with “ftp://”. These URLs can be of the form ftp://user:password@host/path. The problem arises when encoded special characters are used in the user or password parts.
For example, consider the following URL:
If correctly interpreted, the URL refers to a document on apple.com. However, when loaded by a vulnerable browser, the network layer uses an extraneously decoded version of the URL:
The document would be loaded from ftp.attacker.tld, not apple.com. Yet the document properties such as document.domain and document.cookie are correctly initialised using apple.com.
Worried Safari users can check if their browser has the vulnerability by using the following vulnerability checker here.
Apple generally has a good reputation, although there have been a number of problems to do with the Safari web browser over the years.
This time last year for example, Apple had to patch 27 bugs in Safari that could have allowed hackers to target Safari users via specially-crafted sites
And last August, Apple had to issue a security update for Safari that fixed a WebKit vulnerability that could have allowed the execution of arbitrary code if a user visited a malicious website.
Are you a security expert? Try our quiz!