CVE-2021-30888
📋 TL;DR
This vulnerability allows malicious websites to bypass Content Security Policy (CSP) protections and leak sensitive information through redirect behavior. It affects Apple device users who visit compromised websites using Safari or other WebKit-based browsers. The vulnerability enables cross-origin information disclosure.
💻 Affected Systems
- Safari
- WebKit-based browsers
- iOS
- iPadOS
- macOS
- tvOS
- watchOS
📦 What is this software?
Ipad Os by Apple
Ipados by Apple
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Tvos by Apple
Watchos by Apple
⚠️ Risk & Real-World Impact
Worst Case
Malicious websites could steal sensitive user data including authentication tokens, session cookies, and personal information from other open tabs or browser sessions.
Likely Case
Attackers create phishing sites that can extract limited information about user's browsing habits and potentially capture some session data from vulnerable websites.
If Mitigated
With proper CSP headers and modern browser security features, impact is limited to minimal information leakage about redirect behavior.
🎯 Exploit Status
Exploitation requires user to visit a malicious website but no authentication or special permissions needed. The technique leverages CSP report-uri redirect behavior.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: iOS 15.1, iPadOS 15.1, macOS Monterey 12.0.1, iOS 14.8.1, iPadOS 14.8.1, tvOS 15.1, watchOS 8.1
Vendor Advisory: https://support.apple.com/en-us/HT212867
Restart Required: Yes
Instructions:
1. Go to Settings > General > Software Update on iOS/iPadOS/watchOS/tvOS. 2. Install the latest available update. 3. For macOS, go to System Preferences > Software Update. 4. Restart device after installation completes.
🔧 Temporary Workarounds
Disable JavaScript
allPrevents exploitation by disabling JavaScript execution in browser
Use alternative browsers
macosTemporarily use non-WebKit browsers like Firefox or Chrome on macOS
🧯 If You Can't Patch
- Implement strict Content Security Policy headers on web applications to limit impact
- Educate users about phishing risks and avoid clicking suspicious links
🔍 How to Verify
Check if Vulnerable:
Check device version in Settings > General > About (iOS/iPadOS) or About This Mac (macOS)Check Version:
On macOS: sw_vers; On iOS/iPadOS: Settings > General > About > VersionVerify Fix Applied:
Verify installed version matches or exceeds patched versions listed in fix_official section📡 Detection & Monitoring
Log Indicators:
- Unusual CSP violation reports with redirect URLs
- Multiple CSP report submissions from same user session
Network Indicators:
- HTTP requests to report-uri endpoints with encoded sensitive data in parameters
- Redirect chains involving CSP violation reports
SIEM Query:
web.url CONTAINS "report-uri" AND web.url CONTAINS "redirect" AND device.vendor="Apple"🔗 References
- http://www.openwall.com/lists/oss-security/2021/12/20/6
- https://support.apple.com/en-us/HT212867
- https://support.apple.com/en-us/HT212868
- https://support.apple.com/en-us/HT212869
- https://support.apple.com/en-us/HT212874
- https://support.apple.com/en-us/HT212876
- http://www.openwall.com/lists/oss-security/2021/12/20/6
- https://support.apple.com/en-us/HT212867
- https://support.apple.com/en-us/HT212868
- https://support.apple.com/en-us/HT212869
- https://support.apple.com/en-us/HT212874
- https://support.apple.com/en-us/HT212876
