Safari Vulnerability Exposes EU iOS Users to Malicious Marketplaces

A serious concern has arisen for iPhone users in the European Union as a newly discovered flaw in Apple’s Safari browser has the potential to expose them to tracking and malicious activities.

The vulnerability lies in the fact that third-party marketplace apps can exploit this flaw, posing a significant risk to users’ privacy and security.

As a result, users are advised to exercise caution while browsing the internet and downloading apps until a fix is rolled out.

This vulnerability stems from a specific implementation designed to comply with the European Digital Market Act (DMA), which mandates that users should be able to download and install apps from developers’ websites, not just the Apple App Store.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

The Flaw Explained

The vulnerability involves a new URI scheme introduced in iOS 17.4, named marketplace-kit, which allows the installation of third-party marketplace apps directly from websites via Safari.

When a user clicks a button on a website that triggers this URI scheme, it initiates a process handled by Apple’s MarketplaceKit.

This process communicates with the marketplace’s backend servers to manage the app installation.

However, the critical issue arises because the MarketplaceKit process sends a unique client_id identifier to the marketplace’s backend.

The report states that this identifier facilitates the installation process but can also be misused to track the user across different sites.

One issue that worsens the problem is that the identifier is transmitted discreetly, without the user’s explicit knowledge, and the installation process does not inform the user if it fails due to network problems or other errors.

This flaw is particularly alarming because it can be exploited by any website, not just the intended marketplace sites.

Malicious actors could potentially set up websites that mimic legitimate marketplaces and trick users into clicking buttons that activate the marketplace-kit URI scheme.

This would expose users to potential privacy breaches and a range of security risks, including the installation of malicious software.

Apple’s Stance and Security Measures

Apple has stated that the introduction of the marketplace-kit URI scheme is a security measure intended to comply with the DMA while still protecting users by requiring a physical click to initiate the installation process.

However, the current implementation has been criticized for not adequately safeguarding against the misuse of the client_id and for not providing sufficient feedback to users about the status of the installation process.

This vulnerability is currently limited to EU users as the marketplace-kit URI scheme is not supported on iPhones outside the EU.

Users are advised to be cautious about downloading apps from sources other than the official Apple App Store, especially from websites that are not well-known or verified marketplace operators.

In response to these findings, digital security experts are urging Apple to revisit the implementation of the marketplace-kit URI scheme to enhance user privacy and security.

As this situation develops, EU iPhone users are reminded to stay vigilant and to consider the security implications of installing apps through new and potentially unverified channels.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

1 hour ago

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…

1 hour ago

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…

2 hours ago

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…

3 hours ago

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…

5 hours ago

CISA Warns of Actors Exploiting Two Palo Alto Networks Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert and added two…

6 hours ago