“The new vulnerability identified by Skycure involves the way iOS handles Cookie Stores when dealing with Captive Portals,” Amit writes. “When iOS users connect to a captive-enabled network (commonly used in most of the free and paid Wi-Fi networks at hotels, airports, cafes, etc.), a window is shown automatically on users’ screens, allowing them to use an embedded browser to log in to the network via an HTTP interface. As part of Skycure’s continuous research on network-based attacks against mobile devices, we found that the embedded browser used for Captive Portals creates a vulnerability by sharing its cookie store with Safari, the native browser of iOS.”
“We reported this issue to Apple on June 3, 2013,” Amit writes. “This is the longest it has taken Apple to fix a security issue reported by us. It is important to note that the fix was more complicated than one would imagine. However, as always, Apple was very receptive and responsive to ensure the security of iOS users. Starting with iOS 9.2.1, iOS employs an isolated Cookie Store for all Captive Portals. As with almost any update for iOS, we recommend users and organizations upgrade to the latest iOS version promptly.”
Full article here.
MacDailyNews Take: If you haven’t already, update your iPhone, iPad, and/or iPod touch devices to iOS 9.2.1 ASAP.
