What Is the Captive Portal?
Captive portal was a key vulnerability in the iOS system that Apple fixed in January 2016. Using this vulnerability, a hacker can gain read and write permissions to the website's unencrypted authentication cookie, thereby impersonating the identity of the end user [1] .
Captive portal
- Captive portals were originally discovered by Internet security company Skycure's Adi Sharabani and Yair Amit and reported to Apple in June 2013 [1]
- The captive portal is related to the way the iOS system processes cookies stored on the device on the captive portal page. Captive portals are very common, when users connect to free or paid public WiFi hotspots, they often see such a login page [1]
- In iOS9.2.1, Apple finally fixed the captive portal vulnerability and adopted an isolated cookie storage method for captive portals. [2]
- When a user accesses a network with a captive portal at a coffee shop, hotel, or airport using a vulnerable iPhone or iPad, the login page displays the network terms of use through an unencrypted HTTP connection. After the user accepts the terms, they can access the Internet normally, but the embedded browser will share unencrypted cookies to the Safari browser [1]
- Skycure said that this is the longest time it takes Apple to fix a vulnerability, but the patch is more complicated than a normal bug fix. In addition, the company stated that no reports have been received about hackers using this vulnerability to launch attacks [1] .