Adi Sharabani and I have identified another iOS security issue (CVE-2016-1730), which was just officially fixed by Apple as part of iOS 9.2.1. This latest iOS vulnerability is added to past Skycure research that has significantly contributed to improving the security and mobile threat defense of iOS users, including HTTP Request Hijacking, Malicious Profiles, Invisible Profiles and No iOS Zone.
The new vulnerability identified by Skycure involves the way iOS handles Cookie Stores when dealing with Captive Portals. When iOS users connect to a captive-enabled network (commonly used in most of the free and paid Wi-Fi networks at hotels, airports, cafes, etc.), a window is shown automatically on users’ screens, allowing them to use an embedded browser to log in to the network via an HTTP interface. As part of Skycure’s continuous research on network-based attacks against mobile devices, we found that the embedded browser used for Captive Portals creates a vulnerability by sharing its cookie store with Safari, the native browser of iOS.
Reproduction
In order to reproduce or exploit the issue, an attacker would have to take the following steps:
· Attacker creates a public Wi-Fi network and waits for victims
· · A victim passes by the malicious Wi-Fi area and joins the network (this can be done manually by the victim or their devices can be tricked into joining the network automatically by utilizing Karma or WiFiGate attacks)
· Attacker redirects the Apple Captive request (http://www.apple.com/library/test/success.html) to an HTTP website of his/her choice, thereby triggering the iOS Captive Network embedded browser screen to automatically open
· The embedded browser, which shares the same Cookie Store of Mobile Safari, loads Attacker-controlled content (which can contain malicious Javascript) and executes it
Impact
This issue allows an attacker to:
· Steal users’ (HTTP) cookies associated with a site of the attacker’s choice. By doing so, the attacker can then impersonate the victim’s identity on the chosen site.
· Perform a session fixation attack, logging the user into an account controlled by the attacker–because of the shared Cookie Store, when the victims browse to the affected website via Mobile Safari, they will be logged into the attacker’s account instead of their own.
· Perform a cache-poisoning attack on a website of the attacker’s choice (by returning an HTTP response with caching headers). This way, the attacker’s malicious JavaScript would be executed every time the victim connects to that website in the future via Mobile Safari.
While similar characteristics of this attack can happen when users open Safari on their mobile devices, the fact the attacker can automatically open the embedded-browser (by leveraging captive-networks handling by iOS), makes the attack automatic and more effective. We reported this issue to Apple on June 3, 2013. This is the longest it has taken Apple to fix a security issue reported by us. It is important to note that the fix was more complicated than one would imagine. However, as always, Apple was very receptive and responsive to ensure the security of iOS users.
Remediation
Starting with iOS 9.2.1, iOS employs an isolated Cookie Store for all Captive Portals. As with almost any update for iOS, we recommend users and organizations upgrade to the latest iOS version promptly. To be protected against this and future known and unknown mobile attacks, we advise downloading a Mobile Threat Defense app like SEP Mobile (formerly Skycure).