yitit
Home
/
Mobile
/
Apple Squashes the iOS Cookie Thief – Enabled Hackers to Impersonate Users
Apple Squashes the iOS Cookie Thief – Enabled Hackers to Impersonate Users-June 2024
Jun 15, 2025 7:29 PM

Apple has fixed a three-year old security vulnerability in iOS that enabled hackers to impersonate users connecting to websites usingpublic WiFi networks.

ios security XcodeGhost

Apple gets rid of the iOS cookie thief:

Initially reported in June 2013, the vulnerability was a result of a cookie store iOS shared between the Safari browser and another embedded browser used to negotiate "captive portals". According to security researchers, when an iOS user connected to a public network, or a "captive-enabled" network, the iOS device displayed a window allowing networkowner to use an embedded browser to login to the network. However, this embedded browser was found guilty of sharing its cookie store with Safari, the native browser.

These captive portals are displayed by many WiFi networks when a user is joining the network, asking them to authenticate themselves and/or agree to the terms of service. The shared cookie store made it possible for hackers to impersonate end users. Connected to an unencrypted network, hackers could have stolen any HTTP cookie stored on the iPhone or iPad.

This issue allows an attacker to:

Steal users’ (HTTP) cookies associated with a site of the attacker’s choice. By doing so, the attacker can then impersonate the victim’s identity on the chosen site.Perform a session fixation attack, logging the user into an account controlled by the attacker–because of the shared Cookie Store, when the victims browse to the affected website via Mobile Safari, they will be logged into the attacker’s account instead of their own.Perform a cache-poisoning attack on a website of the attacker’s choice (by returning an HTTP response with caching headers). This way, the attacker’s malicious JavaScript would be executed every time the victim connects to that website in the future via Mobile Safari.

Discovered by Skycure security researchers, the vulnerability was reported to Apple back in June 2013. iOS 9.2.1 fixed the exploit along with various other vulnerabilities in iOS and Safari. The new update now provides an isolated cookie store for captive portals, having no shared resources between the native and embedded browsers.

Source

Comments
Welcome to yitit comments! Please keep conversations courteous and on-topic. To fosterproductive and respectful conversations, you may see comments from our Community Managers.
Sign up to post
Sort by
Login to display more comments
Mobile
Recent News
Motorola is going to make a big announcement next week
Motorola is going to make a big announcement next week
Aqara Just Released a New Motion and Light Sensor
Aqara Just Released a New Motion and Light Sensor
Google Wants to Help You Make a Video With AI
Google Wants to Help You Make a Video With AI
Google Just Announced New AI Tools for Workspace
Google Just Announced New AI Tools for Workspace
About
Terms and Conditions Privacy policy Cookie Settings Contact Us
Services
Login register
yitit Hardware Computing Mobile Finance Software Deals
Links
zpostcode Recruit weather mreligion Yellowpages sport constellation shopping name game directory literature Word tour furnish Lottery tftnews lyrics News digital car dir Edu Finance
Copyright 2023-2025 - www.yitit.com All Rights Reserved