More iframe woes
An attacker would then be able to conduct a range of activities such as reading a target’s emails.
The issue arose due how WebKit handles a number of iframes, which causes the subframe counter to overflow using an empty URL.
Security checks were put in place to prevent subframe counter from overflowing. However, Project Zero found that these measures could be bypassed through the use of multiple iframes – including one that contained an empty URL.
“Therefore, an attacker can insert exactly 1024 frame elements with an empty URL into a node, so its connected subframe counter will overflow and become zero,” Project Zero’s Sergei Glazunov said in a recently published bug report.
“Later, when the node is removed from the document tree, the subframes won't be detached.”
The flaw can be further abused in order to manipulate a cross-domain object through the disconnectDescendantFrames element, used to replace documents.
“Then, if the subframe is navigated to the about:srcdoc URL, the new document will inherit the security context from its parent document, which can be an arbitrary cross-origin page, while the contents will be attacker-controlled,” Glazunov said.
The critical vulnerability was reported to Apple on July 23, and followed its 90-day patch deadline.
Users are advised to ensure their Apple operating systems are up to date and running the latest version of Safari.
Other UXSS bugs have been found in WebKit over recent months, both disclosed by Project Zero.
These were due to how WebKit replaced documents and deleted cross domain objects, respectively.
The Daily Swig has reached out to Project Zero’s Sergi Glazunov for additional comment.
YOU MAY ALSO LIKE Another UXSS bug found in Safari WebKit