Same‑Origin Policy bypass
A high‑risk security bypass affecting iOS, iPadOS and macOS can circumvent the Same Origin Policy and expose cross‑origin credentials, tokens and private data — a major issue for apps embedding web content or hybrid frameworks. The flaw raises immediate concerns for any app using WKWebView, SFSafariViewController, or in‑app authentication flows. (teamwin.in)
Apple assigned the bug CVE‑2026‑20643 and filed it in WebKit Bugzilla as 306050, crediting researcher Thomas Espach with publication on March 17, 2026. (support.apple.com) Apple rolled the fix into its Background Security Improvements for iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a) and macOS 26.3.2 (a), released March 17, 2026. (cvefeed.io) Apple’s advisory describes the remediation as “improved input validation” in the Navigation API of WebKit rather than a structural rewrite, with the patch surfaced via the Background Security Improvements channel. (support.apple.com) Background Security Improvements are delivered silently only to devices on the latest OS train, and Apple documents a path to verify or enable automatic installation under Settings → Privacy & Security → Background Security Improvements (installation may require the device passcode). (support.apple.com) Apple’s advisory does not report observed in‑the‑wild exploitation; independent analysts note the flaw’s value in multi‑stage attacks where an SOP‑related bug can be chained to steal session tokens or enable UXSS. (socprime.com) Public notes and national CERT listings emphasize that apps built with legacy wrappers or older SDKs can leave endpoints exposed on unmanaged devices, and organizations should inventory apps that still rely on deprecated UIWebView or third‑party WebView wrappers. (ibm.com)
