Exploit type: Web-based privacy leak
Platform: macOS Sonoma, iOS, iPadOS
Patched in: macOS Sonoma 14.1, iOS 16.7.2, iPadOS 16.7.2
Published: September 2023
Apple advisory: HT213970
What Is CVE-2023-41977?
CVE-2023-41977 is a vulnerability that was discovered in Apple’s Safari browser, affecting both macOS and mobile devices running iOS and iPadOS. The bug allowed a malicious website to *potentially* peek into a user’s browsing history by exploiting how the browser handled its cache.
In short: Just by visiting a hacked or specially-crafted website, some of your recent activity could be revealed – and you wouldn’t even know.
How Did the Vulnerability Work?
Every modern browser keeps a cache: temporary files and responses stored locally to make browsing faster. However, with CVE-2023-41977, certain cached responses in Safari (and WebKit-based apps) could be targeted and read in a way that revealed if a user had visited other web pages or domains.
A bad actor could craft a web page that tries to load resources (like images or scripts) from third-party sites. By analyzing the browser’s cache-response times and behaviors, the malicious page infers if you have visited those third-party URLs before. This technique is called "history sniffing."
You open a suspicious website.
2. The site runs hidden JavaScript code that tries to load images/scripts from well-known websites, say https://newswebsite.com/favicon.ico.
It checks how quickly these files load (from cache vs. network).
4. If the resource loads *instantly*, the script learns you recently visited newswebsite.com (since its cache entry exists).
5. The attacker repeats this for a long list of URLs – reconstructing pieces of your browsing history.
Here’s a simplified example demonstrating the core idea
async function checkIfVisited(url) {
const start = performance.now();
try {
// Attempt to load an image (or any static resource)
let img = new Image();
img.src = url + '?cachebust=' + Math.random();
await img.decode();
} catch {}
const duration = performance.now() - start;
return duration < 20; // Assume really quick loads mean "in cache"
}
(async () => {
const targets = [
"https://facebook.com/favicon.ico";,
"https://cnn.com/favicon.ico";,
"https://stackoverflow.com/favicon.ico";,
];
for (let url of targets) {
const visited = await checkIfVisited(url);
console.log(${url}: ${visited ? "Visited" : "Not Visited"});
}
})();
*Note: Real exploits would be more sophisticated and accurate, but this gives you the idea.*
How Was It Fixed?
Apple improved cache handling in Safari and WebKit. The patch prevents websites from reliably detecting the timing differences or cache hits for cross-origin requests. Caches now separate resources more strictly between sites, stopping the history sniffing trick.
Apple’s fix summary:
> “The issue was addressed with improved handling of caches. Visiting a malicious website may reveal browsing history. This issue is fixed in macOS Sonoma 14.1, iOS 16.7.2 and iPadOS 16.7.2.”
(From: Apple security release notes)
If you’re stuck on older systems:
- Be extra careful about visiting shady websites, especially those that seem to know too much about you.
More Reading
- Apple security updates: HT201222
- CVE-2023-41977 at MITRE
- WebKit commit history
Conclusion
CVE-2023-41977 was a subtle but real privacy issue that let websites secretly find out what other websites you had visited, simply by watching your browser’s caches. Thanks to Apple’s quick response, most users are protected – as long as you update!
Tip: Always keep your software up to date to avoid falling victim to similar privacy leaks. 🍏
*Written exclusively for this post to help you stay safer online.*
Timeline
Published on: 10/25/2023 19:15:10 UTC
Last modified on: 11/02/2023 15:26:41 UTC