"WebKit is the underlying technology that powers Safari and other browsers on iOS. The flaw, CVE-2026-20643, specifically affects the Same Origin Policy, which stops one website from accessing another's personal information. By exploiting the vulnerability, maliciously crafted web content could potentially access data from another site."
"To take advantage of CVE-2026-20643, a threat actor would need to lure their victim—most likely via a phishing email—to visit a malicious website. At that point, the malicious page would attempt to bypass the isolation enforced by the Same Origin Policy, which restricts how documents and scripts loaded from one origin interact with resources from another."
"For organisations, it's crucial to ensure this update is issued immediately as any postponements will leave devices and operations vulnerable. More importantly, users should set updates to be issued automatically, so there's no window for attackers to exploit."
Apple has released a Background Security Update to address CVE-2026-20643, a vulnerability in the WebKit browser engine affecting Safari and other browsers across iOS, iPadOS, macOS, and watchOS. The flaw, discovered by security researcher Thomas Espach, compromises the Same Origin Policy—a critical security mechanism that prevents websites from accessing each other's data. Attackers exploit this vulnerability by luring victims to malicious websites through phishing emails. Once visited, the malicious page attempts to bypass the Same Origin Policy's isolation protections, potentially enabling unauthorized access to sensitive information from other sites. Apple addressed the issue through improved input validation. Organizations are urged to deploy the update immediately and enable automatic updates to prevent exploitation windows.
#security-vulnerability #webkit-browser-engine #same-origin-policy #apple-security-update #phishing-attack-vector
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]