In mid-2023, Apple disclosed and patched a serious vulnerability — CVE-2023-38599 — that affected Safari and many of its core platforms. This bug was rooted in a subtle logic issue in WebKit, which is the browser engine powering Safari across all Apple devices. If you’re curious about why it mattered, how it worked, and whether you’re protected, let’s dig in. I’ll keep it easy to follow, with code snippets and references for deeper reading.
What is CVE-2023-38599?
CVE-2023-38599 describes a logic issue in the way WebKit (used by Safari and other Apple browsers) managed browser state while visiting websites. In plain terms, certain websites could trick Safari into leaking private or sensitive information about you, just by how the browser handled web pages and data in memory.
macOS Ventura 13.5
This issue was fixed by Apple with improved state management in these updates.
What Could Happen? (The Impact)
Because of this vulnerability, a malicious website might be able to track sensitive user information — for example by knowing if you’re logged in to certain sites, or even extracting information about your browsing habits. In some cases, it might even go as far as fingerprinting your identity.
Let's break it down simply.
When you browse different websites, your browser tries to keep your activities separated (using things like cookies, local storage, session management, etc.). This is called enforcing the *same-origin policy*.
However, due to the logic issue in WebKit's code, an attacker could exploit certain browser state management bugs to cross these boundaries and gain unauthorized access to information meant to stay private.
Example: Exploiting Browser State
Imagine a scenario where your browser does NOT correctly separate Session Storage or other browsing data between tabs/windows. A clever attacker could run JavaScript like the following to “peek” into data from other tabs, or to see if you're logged into other sites.
Sample Exploit Code (Pseudo-JS)
// This is illustrative, not the actual exploit code
let frame = document.createElement('iframe');
frame.src = 'https://secure-login-site.com';;
document.body.appendChild(frame);
// Malicious code tries to leak information from iframe
frame.onload = function() {
try {
// Under the bug, this shouldn't be allowed but might work!
let isLoggedIn = frame.contentWindow.someSensitiveProperty;
if (isLoggedIn) {
fetch('/log', {
method: 'POST',
body: JSON.stringify({ user: 'found' })
});
}
} catch (e) {
// Access should normally be denied due to same-origin policy.
}
};
If the browser isn’t careful, this code might be able to tell if you’re logged in to another site — something that would be a privacy *nightmare*.
Real-World Risks
- Tracking login state: Malicious sites might discover if you’re logged into banking, email, or social networks.
What Did Apple Do to Fix It?
Apple improved the internal *state management* of WebKit. Basically, they patched the code so that each website and tab is properly separated in memory, fixing the logical flaw.
The details are brief in their security advisories, but here’s the relevant note from the Apple Security Updates page:
> CVE-2023-38599
>
> A logic issue was addressed with improved state management. This issue is fixed in Safari 16.6, watchOS 9.6, iOS 15.7.8 and iPadOS 15.7.8, tvOS 16.6, iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A website may be able to track sensitive user information.
Technical References
- Original Apple Security Update for Safari 16.6
- CVE Details for CVE-2023-38599
- WebKit Bug Tracker (search for CVE-2023-38599)
Safari 16.6 or newer
- iOS/iPadOS 15.7.8 or newer
macOS Ventura 13.5 or newer
> Go to Settings > General > Software Update (on iPhone/iPad), or System Settings > Software Update (on Mac) and make sure you’re up-to-date.
Final Thoughts
CVE-2023-38599 shows us that even well-written browsers can have *unexpected logic* bugs leading to privacy leaks. Apple responded quickly, but it’s a good reminder to:
Use features like private browsing and tracking prevention
For technical users, always check the latest security advisories for your platform.
Timeline
Published on: 07/28/2023 05:15:10 UTC
Last modified on: 08/18/2023 03:15:21 UTC