Researcher Warns Of Dangerous Flaw In Unfixed Apple Safari

Channel News

Rapid7 says vulbnerability could let attackers steal passwords or plant keyloggers on users’ machines

Security researchers have flagged a simple but potentially dangerous flaw in the Apple Safari browser, which could be used to hijack users’ web sessions. The flaw could be exploited to have the browser throw up user cookies, passwords, or even files from the victim’s machine, researchers said.

The problem lies in the Apple Safari webarchive format, which saves all resources on a web page into one document. To exploit the flaw, an attacker would have to trick a victim into opening a malicious webarchive file, either by forced download or via an email attachment in a spear phishing attack.

Dangerous Safari

The specially-crafted file could be used to pilfer cookies and saved passwords by having them sent to the attacker’s own domain. They could also store poisoned JavaScript in the user’s cache, allowing for keyloggers to be installed for certain sites. That’s “very bad”, according to Joe Vennix, Metasploit products developer at Rapid7.

Rapid7 reported the bug to Apple in February but, according to Vennix, Apple labelled the flaw a “wontfix”, as the webarchives file has to be downloaded onto the user’s machine.

“This is a potentially dangerous decision, since a user expects better security around the confidential details stored in the browser, and since the webarchive format is otherwise quite useful,” Vennix wrote in a blog post.

“A flaw exists in the security model behind webarchives that allows us to execute script in the context of any domain – a Universal Cross-site Scripting (UXSS) bug. An attacker can send you crafted webarchives that, upon being opened by the user, will send cookies and saved passwords back to the attacker.

“In a nightmare scenario, the user could be typing emails into a ‘bugged’ webmail, social media, or chat application for years before either 1) he clears his cache, or 2) the cached version in his browser is expired,” he added.

This first appeared on TechWeekEurope UK. Read the whole story here.

Read also :