A vulnerability in iOS can hijack a number of apps when used on an insecure Wi-Fi network, researchers said.
“HTTP Request Hijacking” (HRH) exploits the way iOS applications deal with receiving an HTTP 301 status code from a server, said researchers at device security firm Skycure.
“Most mobile apps do not visually indicate the server they connect to, making HRH attacks seamless, with very low probability of being identified by the victims,” Skycure officials said.
At its core, the attack varies off the standard man-in-the-middle attack. If an app ends up used on an insecure Wi-Fi network, an attacker can intercept requests sent by the app, reply to the requests with a 301, and trick the app into redirecting to a hostile server.
The catch is iOS apps have a behavior quirk that makes them particularly vulnerable to the attack: Whenever they receive a 301 redirection request, that request ends up cached indefinitely. In other words, once an attacker uses a request hijack on an iOS app, its requests redirect continuously to the hostile server until the cache clears. That means the user may never be aware of the issue.
HRH attacks do require a few conditions the attacker must meet before a successful attack. Most crucially, they need to be “physically near the victim for the initial poisoning,” meaning the attacker has to know where the user is connecting via Wi-Fi and hijack that specific connection.
Skycure has declined to name specific apps affected by this bug, as part of its responsible disclosure policy. Instead, the company created a sample application that demonstrates the problem in action. In addition, Skycure published code in its article that allows concerned iOS developers to fix the problem quickly.
In a final note to its post, Skycure said “HRH isn’t necessarily a problem of iOS applications alone; It could apply to mobile applications of other operating systems too.”