Critical iOS Flaw allowed Hackers to Steal Cookies from Devices
Apple has patched a critical vulnerability in its iOS operating system that allowed criminal hackers to impersonate end users' identities by granting read/write access to website's unencrypted authentication cookies.
The vulnerability was fixed with the release of iOS 9.2.1 on Tuesday, almost three years after it was first discovered and reported to Apple.
The vulnerability, dubbed "Captive Portal" bug, was initially discovered by Adi Sharabani and Yair Amit from online security company Skycure and privately reported to Apple in June 2013.
Here's How the Vulnerability Worked
The vulnerability caused due to the way iOS handles Cookie Stores at Captive Portals, generally a login page that requires users to authenticate themselves before connecting to the free or paid public Wi-Fi hotspots when they are first joining.
So, when a user with a vulnerable iPhone or iPad connects to a captive-enabled network (sample page shown in the screenshot below) – typically at coffee shops, hotels, and airports – a login window is displayed showing terms and conditions over a standard, unencrypted HTTP connection.
Once accepted, the affected user is able to browse the Internet normally, but the embedded browser shares its unencrypted cookie store with the Safari browser.
According to a blog post published by Skycure on Wednesday, this shared resource allowed hackers to create their own fake captive portal and associate it with the Wi-Fi network, enabling them to steal virtually any unencrypted cookie stored on the device when an affected iOS device is connected.
Here's the List of Attacks a Hacker can Perform
According to researchers, this captive portal vulnerability allows an attacker to:
Perform an Impersonation Attack – Attackers could steal users' unencrypted (HTTP) cookies associated with a website of their choice, allowing them to impersonate the victim's identity on the particular website.
Perform a Session Fixation Attack – This means, logging the victim into an attacker-controlled account (because of the shared Cookie Store). When the victims browse to the affected site via the Safari mobile browser, they'll be logged into the hacker's account instead of their own.
Patch Your Device Right Now!
The flaw affected iPhone 4S and iPad 2 devices and later. However, the vulnerability has been resolved with the release of iOS 9.2.1 in which there is an isolated cookie store for captive portals that will keep hackers at bay.
Skycure says that this is the longest time ever taken by Apple to fix a bug, but the patch was much more complicated than it would be for a typical bug. Though, the company says it has no reports of exploits in the wild.
So, in order to keep yourself safe from such attacks, download iOS 9.2.1 as an over-the-air update from the Settings menu on your iOS device right now.