Apple has released iOS 9.2.1 for iPhone, iPad, and iPod touch. The small update arrives as build 13D15 and includes bug fixes and security updates, but does not appear to include any new features or changes.
It fixed a nasty bug that lingered in the wild for nearly three years and could have let an attacker steal cookies and impersonate victims.
Yair Amit and Adi Sharabani, researchers with Skycure, discovered the issue and discussed it in a blog post Wednesday.
The window that pops up – the embedded browser that asks users to log in via an HTTP interface – creates a vulnerability by sharing its cookie store with Safari. If an attacker created their own public WiFi network and got an unsuspecting victim to join, they could redirect the user to an HTTP site of their choice.
This opens the user up to a handful of issues – not only can the attacker steal cookies associated with a site, they can also carry out something called a session fixation attack, and log the user into an account controlled by the attacker.
An attacker could also perform a cache-poisoning attack by returning an HTTP response with caching headers. Every time the victim connects to that site down the line, via Safari on iOS, the poisoned cache could be executed.
“We reported this issue to Apple on June 3, 2013,” Amit writes. “This is the longest it has taken Apple to fix a security issue reported by us. It is important to note that the fix was more complicated than one would imagine. However, as always, Apple was very receptive and responsive to ensure the security of iOS users. Starting with iOS 9.2.1, iOS employs an isolated Cookie Store for all Captive Portals. As with almost any update for iOS, we recommend users and organizations upgrade to the latest iOS version promptly.”