Reg comments6

Apple splats Safari flaw affecting a BEELLION iThings

FTP bug sends doc hunters on nasty detours

Jouko Pynnönen, a security chap with Finnish firm Klikki Oy, has found a since patched bug he says could affect a billion Apple iDevices.

Pynnönensays the cross-domain vulnerability in Safari's file transfer URL schemes allows attackers to modify website HTTP cookies and have documents loaded from malicious sites.

"An attacker could create web content which, when viewed by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website," Pynnönen says in an advisory.

"Most websites which allow user logins store their authentication information (usually session keys) in cookies. Access to these cookies would allow hijacking authenticated sessions.

"All tested Safari versions on iOS, OS X, and Windows were vulnerable. The number of affected devices may be of the order of one billion."

Pynnönen says the flaw affects Safari on iOS 8.1, 6.1.6, the ancient iPhone 3GS, and versions 7.0.4 and 5.1.7 on OS X 10.9.3 and Windows 8.1 respectively.

Links in the form of 'ftp://user:password@host/path' are problematic when the user or password fields include encoded special characters. Attackers can manipulate the URL to cause documents to be loaded from their sites.

Pynnönen uses the example URL

ftp://user%40attacker.com%2Fexploit.html%23@apple.com/

to show that while patched browsers would pull a document from Apple, vulnerable versions decode

ftp://user@attacker.com/exploit.html#apple.com/

to pull from attacker.com.

The attack, which requires JavaScript, could be pulled off using iFrames embedded into benign web pages, he says.

The vulnerability (CVE-2015-1126) is patched with better URL decoding for Webkit credential handling.

Pynnönen has released a Safari vuln-checker, available here. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017