14 DAY TRIAL // With the release of iOS 9.2.1, Apple fixed a critical security flaw that enabled attackers to carry out automated attacks that stole a user's browser cookies, allowing them to impersonate the victim on legitimate websites.
Two days ago, Apple released its monthly batch of security updates, and one of the fixed issues was CVE-2016-1730, a vulnerability in iOS' WebSheet, an internal (not user accessible) app that is used only when users want to connect to WiFi networks that require participants to log in via a Web browser.
You can usually find these types of WiFi networks in shopping malls, airports, hotels, public squares, or government buildings.
The problem: WebSheet shared Safari's cookies
According to Adi Sharabani and Yair Amit from Skycure, the WebSheet app had a vulnerability in the way it handled these login operations.
The app, instead of managing its own set of cookies, as any browser should, it hijacked Safari's cookies instead. This opened the door for a simple set of attacks.
The easiest to carry out involved attackers creating their own public WiFi network. Whenever a user wanted to connect to the network, their iOS device would open WebSheet to authenticate.
An attacker could easily load malicious code with this login page, and using trivial JavaScript, steal the user's WebSheet Safari cookies.
The scenario is even more dangerous if we take into account that hackers can use WiFiGate attacks and force all nearby iOS devices to connect to their network automatically, effectively stealing cookies from any person walking into the coverage of a malicious WiFi network.
iOS devices left open to attacks for over 30 months
Browser cookies in the wrong hands can allow a third-party to authenticate on legitimate sites under the cookie owner's identity. Getting hold of cookies for banking portals or payment sites can lead to financial fraud.
Besides cookie hijacking, hackers could also carry out session fixation attacks that force users to log into an account controlled by the attackers, preventing them from accessing their real account and discovering any intrusions on the main profile.
Cache poisoning attacks are also possible after stealing someone's cookies, and can be used to automatically redirect users to a malicious website when trying to access a specific URL. This malicious website can be used to re-infect users with a desired piece of malware at various intervals, and help attackers get boot persistence on a particular handset.
With all these attack scenarios available, you'd think Apple would rush to fix this issue. Skycure says that it reported the vulnerability to Apple on June 3, 2013, a week before the company officially launched iOS 7. The issue would be fixed in iOS 9.2.1, on January 18, 2016.