Vulnerability allowed universal cross-site scripting attacks, which allows for account theft and unauthorized interactions.

Apple released updates for iOS, iPadOS and watchOS on Friday (26), correcting a security hole in WebKit, the “heart” of Safari.

According to Apple, there are reports that the problem was exploited by hackers. When a vulnerability is attacked before there is even a software update to fix it, it is called a “zero day”.

For this reason, it is recommended that the update be installed as soon as possible. The versions are:

iOS 14.4.2 (for iPhone)
iPad OS 14.4.2 (for iPad)
watchOS 7.3.3 (for Apple Watch)
The update was released just to fix this vulnerability and does not bring about any other changes or improvements. The next version of iOS, 14.5, is scheduled for release in April.

Apple revealed that it was alerted to the problem by Google’s Threat Analysis Group (TAG), a team that typically analyzes targeted or highly sophisticated attacks. It was also revealed that the loophole allowed “universal cross-site scripting”.

It was not informed who the targets of these attacks would have been.

Loophole allows theft of accounts

Cross-site scripting, or “XSS”, is a security breach in which a web page interacts with another page without the user’s authorization.

As a rule, XSS failures result from programming errors on the website itself and impact only the vulnerable page. This type of problem is quite common and, therefore, XSS is a type of attack associated with websites, not browsers.

But, as the browser is responsible for isolating open pages, an error in this isolation makes it possible to execute commands on any page – that is, universal.

A universal XSS allows the theft of authentication cookies that identify users. If the victim logs in to any website and then visits the malicious website, XSS will be able to copy the key of the logged session and transmit it to the attacker.

The attacker then uses this information to log into the account as if he were the victim, even without knowing the password or having the two-factor authentication code. The stolen key grants direct access – to the website, it is as if the user had opened a new browser tab.

XSS flaws can also be used to interact with restricted network access systems, such as IoT devices or web-based business systems.

A malicious website can use XSS to send commands to these devices, even if the hacker is unable to access them remotely.

Since the attack was not described in detail, it is not possible to know exactly how the problem was used and if there were any limitations for exploiting the flaw.