A serious concern has arisen for iPhone users in the European Union as a newly discovered flaw in Apple’s Safari browser has the potential to expose them to tracking and malicious activities.
The vulnerability lies in the fact that third-party marketplace apps can exploit this flaw, posing a significant risk to users’ privacy and security.
As a result, users are advised to exercise caution while browsing the internet and downloading apps until a fix is rolled out.
This vulnerability stems from a specific implementation designed to comply with the European Digital Market Act (DMA), which mandates that users should be able to download and install apps from developers’ websites, not just the Apple App Store.
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
The Flaw Explained
The vulnerability involves a new URI scheme introduced in iOS 17.4, named marketplace-kit
, which allows the installation of third-party marketplace apps directly from websites via Safari.
When a user clicks a button on a website that triggers this URI scheme, it initiates a process handled by Apple’s MarketplaceKit.
This process communicates with the marketplace’s backend servers to manage the app installation.
However, the critical issue arises because the MarketplaceKit process sends a unique client_id
identifier to the marketplace’s backend.
The report states that this identifier facilitates the installation process but can also be misused to track the user across different sites.
One issue that worsens the problem is that the identifier is transmitted discreetly, without the user’s explicit knowledge, and the installation process does not inform the user if it fails due to network problems or other errors.
This flaw is particularly alarming because it can be exploited by any website, not just the intended marketplace sites.
Malicious actors could potentially set up websites that mimic legitimate marketplaces and trick users into clicking buttons that activate the marketplace-kit
URI scheme.
This would expose users to potential privacy breaches and a range of security risks, including the installation of malicious software.
Apple’s Stance and Security Measures
Apple has stated that the introduction of the marketplace-kit
URI scheme is a security measure intended to comply with the DMA while still protecting users by requiring a physical click to initiate the installation process.
However, the current implementation has been criticized for not adequately safeguarding against the misuse of the client_id
and for not providing sufficient feedback to users about the status of the installation process.
This vulnerability is currently limited to EU users as the marketplace-kit
URI scheme is not supported on iPhones outside the EU.
Users are advised to be cautious about downloading apps from sources other than the official Apple App Store, especially from websites that are not well-known or verified marketplace operators.
In response to these findings, digital security experts are urging Apple to revisit the implementation of the marketplace-kit
URI scheme to enhance user privacy and security.
As this situation develops, EU iPhone users are reminded to stay vigilant and to consider the security implications of installing apps through new and potentially unverified channels.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training ->
Try Free Demo