Apple iOS 9 Update Fixes Security Bug That Lingered For Two Years

The computer bug let hackers masquerade online as anyone attempting to access certain websites. Prior to the fix, attackers could steal users’ web browsing “cookies”—the identifying data-tags that websites use to recognize return visitors—and use them to impersonate their victims on those sites.

The flaw only impacted sites using default HTTP to shuttle Internet traffic between their computer servers and users. HTTPS-protected sites were not vulnerable.

Get Data Sheet, Fortune’s technology newsletter.

The problem involved how and where Apple’s software had been stashing users’ cookies. At issue was a faulty shared cache. In addition to a device’s Safari browser accessing the cookie store, the bug allowed “captive portals”—another type of browser (think of the login box that automatically pops up when joining a Wi-Fi network at, say, a Starbucks (SBUX))—to access the store as well. Crafty hackers could then exploit this to break inside and steal the cookies.

Skycure, a mobile cybersecurity firm based in Palo Alto, Calif., notified Apple of the vulnerability in June 2013. The two worked together to fix the problem, and Apple acknowledged that it had done so as part of its iOS 9.2.1 software update this month.

“An issue existed that allowed some captive portals to read or write cookies,” the company detailed on a support webpage. “The issue was addressed through an isolated cookie store for all captive portals.”

For more on software bugs, watch:

Skycure provides a more detailed explanation of its researchers’ findings on its company blog. The firm noted that “this is the longest it has taken Apple to fix a security issue reported by us.”

An Apple (AAPL) source described the software fix as being highly complicated, technically speaking, in conversation with Fortune. That echoes the account of the Skycure researchers, who noted that “the fix was more complicated than one would imagine.”