Safari HSTS Circumvention

Earlier this year, I happened to play around with injecting funny data into unprotected HTTP communications of my test MacBook, when Safari turned out to exhibit a surprising behaviour in combination with sites that enable HSTS:

Let’s say https://foo.com/ has been recently visited and enabled HSTS with an appropriate Strict-Transport-Security header. When unrelated non-TLS HTTP traffic is intercepted and an HTTP 302 redirection with Location: http://foo.com/ is injected, Safari will not implicitly upgrade to HTTPS. Instead, the redirection was followed insecurely and non-Secure cookies were leaking.

For a detailed description of the issue, see our related report/advisory. I originally identified the issue on macOS Big Sur 10.2.3 and Safari 14.0.3 during April 2021. According to our internal analysis, the issue was no longer reproducible on macOS Big Sur 11.5.1 and Safari 14.1.2 in August 2021.

The issue was responsibly disclosed to Apple. On request by Apple, our report had been withheld from publication until all necessary security updates were available. CVE-2021-30823 was assigned to the issue and I’ve been credited accordingly in the following security update release notes: