Researchers Warn Over Apple Safari Flaw

Rapid7 says flaw could let attackers steal passwords or even get keyloggers on users’ machines

Security researchers have flagged a simple but potentially dangerous flaw in the Apple Safari browser, which could be used to hijack users’ web sessions.

The flaw could be exploited to have the browser throw up user cookies, passwords or even files from the victim’s machine, researchers said.

The problem lies in the Apple Safari webarchive format, which saves all resources on a web page into one document. To exploit the flaw, an attacker would have to trick a victim into opening a malicious webarchive file, either by forced download or via an email attachment in a spear phishing attack.

Apple infection - Shutterstock - © Makhnach_SApple Safari danger

The specially-crafted file could be used to pilfer cookies and saved passwords by having them sent to the attacker’s own domain.

They could also store poisoned JavaScript in the user’s cache, allowing for keyloggers to be installed for certain sites. That’s “very bad”, according to Joe Vennix, Metasploit products developer at Rapid7.

“A flaw exists in the security model behind webarchives that allows us to execute script in the context of any domain – a Universal Cross-site Scripting (UXSS) bug,” Vennix wrote in a blog post. “An attacker can send you crafted webarchives that, upon being opened by the user, will send cookies and saved passwords back to the attacker.

“By modifying the WebResourceURL key, we can write script that executes in the context of any domain, which is why this counts as a UXSS bug.

“In a nightmare scenario, the user could be typing emails into a ‘bugged’ webmail, social media, or chat application for years before either 1) he clears his cache, or 2) the cached version in his browser is expired.”

In an ideal world, Apple would prevent script executing as the researchers showed. Rapid7 reported the bug to Apple in February.

Apple had not responded to a request for comment at the time of publication. But according to Vennix, Apple labelled the flaw a “wontfix”, as the webarchives file has to be downloaded onto the user’s machine.

“This is a potentially dangerous decision, since a user expects better security around the confidential details stored in the browser, and since the webarchive format is otherwise quite useful,” Vennix added.

“Also, not fixing this leaves only the browser’s file:// URL redirect protection, which has been bypassed many times in the past.”

Apple has a fine reputation when it comes to security, although it has been caught out ignoring warnings of security pros in the past. It was criticised last year by researchers who claimed it did not react fast enough to kill off a prevalent malware strain, called Flashback.

What do you know about Internet security? Find out with our quiz!