Apple's Safari browser vulnerable to session fixation attacks
Apple's Safari web browser, when handling cookies in multipart top level domains (TLDs), contains a vulnerability that potentially allows attackers to access the web services used by the victim. Safari handles multipart TLDs like .co.uk or .com.au differently from normal TLDs like .de or .com. According to a report, this allows attackers to inject the browser with a cookie which Safari will subsequently use for log-in authentication at other servers in the same TLD.
Before carrying out the attack, the attacker receives the cookie to be injected from the web service to be attacked, but created for his own account. As the victim effectively shares the attacker's session, the latter can then spy out the victim's connection. However, the success of this type of attack, called session fixation – PDF file – depends on the respective implementation of the web application. It is, for example, dependant on the IP address and other information being included in the session data. So far there isn't a patch for Safari. Internet Explorer, Firefox and Konqueror were also vulnerable to this type of attack, but the hole was closed in all these browsers, almost four years ago.
See also:
- Some Random Safari Notes, report by kuza55
- Vulnerability Summary CVE-2008-3170, entry in NIST
(trk)