Jouko Pynnönen, a security chap with Finnish firm Klikki Oy, has found a since patched bug he says could affect a billion Apple iDevices.
Pynnönensays the cross-domain vulnerability in Safari's file transfer URL schemes allows attackers to modify website HTTP cookies and have documents loaded from malicious sites.
"An attacker could create web content which, when viewed by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website," Pynnönen says in an advisory.
"Most websites which allow user logins store their authentication information (usually session keys) in cookies. Access to these cookies would allow hijacking authenticated sessions.
"All tested Safari versions on iOS, OS X, and Windows were vulnerable. The number of affected devices may be of the order of one billion."
Pynnönen says the flaw affects Safari on iOS 8.1, 6.1.6, the ancient iPhone 3GS, and versions 7.0.4 and 5.1.7 on OS X 10.9.3 and Windows 8.1 respectively.
Links in the form of 'ftp://user:password@host/path' are problematic when the user or password fields include encoded special characters. Attackers can manipulate the URL to cause documents to be loaded from their sites.
Pynnönen uses the example URL
to show that while patched browsers would pull a document from Apple, vulnerable versions decode
to pull from attacker.com.
The vulnerability (CVE-2015-1126) is patched with better URL decoding for Webkit credential handling.
Pynnönen has released a Safari vuln-checker, available here. ®