The issue resides in the implementation of a cookie store iOS shares between the Safari browser and a separate embedded browser used. The cookie store is used by OS to negotiate “captive portals” that are displayed by many Wi-Fi networks when a user makes a first access. Captive portals generally require people to authenticate themselves or agree to terms of service before they can gain access to the network.
"The new vulnerability identified by Skycure involves the way iOS handles Cookie Stores when dealing with Captive Portals. When iOS users connect to a captive-enabled network (commonly used in most of the free and paid Wi-Fi networks at hotels, airports, cafes, etc.), a window is shown automatically on users’ screens, allowing them to use an embedded browser to log in tothe network via an HTTP interface. As part of Skycure’s continuous research on network-based attacks against mobile devices, we found that the embedded browser used for Captive Portals creates a vulnerability by sharing its cookie store with Safari, the native browser of iOS.”
How it works?
On the blog post Skycure have detailed the scenario of the bug.
- Attacker creates a public Wi-Fi network and waits for victims
- A victim passes by the malicious Wi-Fi area and joins the network (this can be done manually by the victim or their devices can be tricked into joining the network automatically by utilizing Karma orWiFiGate attacks)
- Attacker redirects the Apple Captive request (http://www.apple.com/library/test/success.html) to an HTTP website of his/her choice, thereby triggering the iOS Captive Network embedded browser screen to automatically open