Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 29th, 2008

Apple Safari Domain Extensions Insecure Cookie Access Vulnerability

According to National Vulnerability Database, Apple’s Safari browser is vulnerable to session fixation attacks because of the way it handles cookies in country-specific top-level domains. A hacker who appeared at Microsoft’s Blue Hat summit, is credited with discovering this Safari vulnerability. Safari 3.1.2 is vulnerable; other versions may also be affected.

Apple Safari allows web sites to set cookies for country-specific top-level domains, such as and, which could allow remote attackers to perform a session fixation attack and hijack a user’s HTTP session, aka “Cross-Site Cooking”. The flaw allows unauthorized disclosure of information, unauthorized modification of content, disruption of service. To exploit this issue, an attacker must entice an unsuspecting user to open a malicious document.

Currently there are no vendor-supplied patches. As a permanent solution, do not browse untrusted web sites or follow untrusted links.

Share this item with others:

More on CyberInsecure:
  • Privacy Flaw Found In Apple Safari RSS Reader
  • Apple Patches Multiple Vulnerabilities In Safari 3.1.1
  • Basic Flaws Allow Phishing And Spamming Vulnerabilities In iPhone
  • Google Fixes Cookie Stealing Vulnerability
  • Apple’s Safari Downloads Websites Resources Without Asking For Permission

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Apple Safari Domain Extensions Insecure Cookie Access Vulnerability

    2 Responses to “Apple Safari Domain Extensions Insecure Cookie Access Vulnerability”

    1. Yes this was the initial problem with the safari for windows but now all the bugs have been fixed and the browser is totally safe to use.

    2. Then why is google get thru, on Mac, the security preference of “Never”??

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.