Search
The New York Pops Present "Jim Henson's Musical World" - Show
A notorious cookie thief Photograph by Brian Killian—WireImage via Getty Images

Apple iOS 9 Update Fixes Security Bug That Lingered For Two Years

Jan 21, 2016

With its recent iOS 9 software update, Apple has fixed a coding flaw that lingered in its operating system for more than two years after first being reported.

The computer bug let hackers masquerade online as anyone attempting to access certain websites. Prior to the fix, attackers could steal users' web browsing "cookies"—the identifying data-tags that websites use to recognize return visitors—and use them to impersonate their victims on those sites.

The flaw only impacted sites using default HTTP to shuttle Internet traffic between their computer servers and users. HTTPS-protected sites were not vulnerable.

Get Data Sheet, Fortune’s technology newsletter.

The problem involved how and where Apple's software had been stashing users' cookies. At issue was a faulty shared cache. In addition to a device's Safari browser accessing the cookie store, the bug allowed "captive portals"—another type of browser (think of the login box that automatically pops up when joining a Wi-Fi network at, say, a Starbucks (sbux))—to access the store as well. Crafty hackers could then exploit this to break inside and steal the cookies.

Skycure, a mobile cybersecurity firm based in Palo Alto, Calif., notified Apple of the vulnerability in June 2013. The two worked together to fix the problem, and Apple acknowledged that it had done so as part of its iOS 9.2.1 software update this month.

"An issue existed that allowed some captive portals to read or write cookies," the company detailed on a support webpage. "The issue was addressed through an isolated cookie store for all captive portals."

For more on software bugs, watch:

Skycure provides a more detailed explanation of its researchers' findings on its company blog. The firm noted that "this is the longest it has taken Apple to fix a security issue reported by us."

An Apple (aapl) source described the software fix as being highly complicated, technically speaking, in conversation with Fortune. That echoes the account of the Skycure researchers, who noted that "the fix was more complicated than one would imagine."

All products and services featured are based solely on editorial selection. FORTUNE may receive compensation for some links to products and services on this website.

Quotes delayed at least 15 minutes. Market data provided by Interactive Data. ETF and Mutual Fund data provided by Morningstar, Inc. Dow Jones Terms & Conditions: http://www.djindexes.com/mdsidx/html/tandc/indexestandcs.html. S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions