Advisory ID: NCC-CSIRT-2026-011
Summary:
Apple has released security updates to fix a vulnerability in WebKit, the browser engine that powers Safari and all browsers on iOS devices. The vulnerability could allow a malicious website to bypass browser security controls and access sensitive data from other websites open in the same browser session.
The vulnerability is tracked as CVE-2026-20643 and has been addressed through Apple’s new Background Security Improvement update mechanism, which allows Apple to deploy urgent security fixes without requiring full operating system updates.
Damage: High
Probability: Medium
Product(s):
- iPhone (iOS)
- iPad (iPadOS)
- Mac computers (macOS)
- Apple Safari browser
- All browsers on iOS and iPadOS that use WebKit
Version(s):
- iPhone (iOS) Earlier than iOS 17.4
- iPad (iPadOS) Earlier than iPadOS 17.4
- Mac computers (macOS), earlier than macOS Sonoma 14.4
- Apple Safari browser, earlier than Safari 17.4
- All browsers on iOS and iPadOS that use WebKit Versions before the March 2026 security update
Platform(s):
- iOS
- iPadOS
- macOS
- Safari browser
- WebKit browser engine
Indicators of Compromise (IOCs):
- Unexpected account logins or session hijacking.
- Suspicious browser redirects.
- Unauthorized access to web applications.
- Abnormal browser activity after visiting unknown websites.
- Unusual authentication alerts from online services.
Description:
The vulnerability exists in Apple’s WebKit browser engine, specifically involving a cross-origin security issue in the browser navigation component. This flaw could allow malicious web content to bypass the Same-Origin Policy, a fundamental browser security control that prevents one website from accessing data belonging to another.
If exploited, a malicious website could potentially access sensitive information from other websites open in the same browser session, including login data, browsing information, session tokens, or other private content. The vulnerability could be triggered simply by visiting a specially crafted malicious website.
The vulnerability affects Apple devices because all browsers on iOS and iPadOS must use WebKit, meaning the issue impacts Safari as well as third-party browsers such as Chrome or Firefox running on iPhones and iPads.
Apple has addressed the issue by improving input validation and access restrictions in the WebKit engine and has recommended that all users update their devices immediately to receive the security fix.
Impacts:
- Access sensitive user data from other websites.
- Steal authentication session tokens.
- Access login information or browsing history.
- Conduct account hijacking attacks.
- Perform targeted surveillance or espionage attacks.
- Deploy further malware through browser exploitation.
Threat Types:
- Information Disclosure
- Cross-Site Data Leakage
- Session Hijacking
- Account Takeover
- Privacy Breach
Solutions/Mitigations:
NCC-CSIRT recommends the following mitigation steps:
- Update Apple devices immediately to the latest versions of iOS, iPadOS, and macOS.
- Enable automatic updates on Apple devices.
- Avoid visiting untrusted websites or clicking suspicious links.
- Use multi-factor authentication (MFA) for online accounts.
- Clear browser sessions after accessing sensitive platforms such as banking or corporate systems.
- Organizations should implement mobile device management (MDM) policies to enforce device updates.
- Monitor for suspicious login activity across enterprise systems.
References: