Unrated severityNVD Advisory· Published Jun 10, 2009· Updated Apr 23, 2026

CVE-2009-1681

Description

WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not prevent web sites from loading third-party content into a subframe, which allows remote attackers to bypass the Same Origin Policy and conduct "clickjacking" attacks via a crafted HTML document.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WebKit in Safari and iPhone OS allows clickjacking by failing to prevent third-party content in subframes, bypassing Same Origin Policy.

Vulnerability

WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not prevent web sites from loading third-party content into a subframe [1][2]. This allows a crafted HTML document to bypass the Same Origin Policy and perform clickjacking attacks.

Exploitation

An attacker can host a malicious HTML page that embeds third-party content (such as a target site's UI) within a subframe. The vulnerability requires no special network position beyond serving the crafted page to the victim. The user must visit the malicious page and interact with the disguised elements (e.g., clicking seemingly benign buttons). The attacker can then hijack clicks intended for the trusted site.

Impact

Successful exploitation enables clickjacking, where an attacker can trick a user into clicking on elements of a different origin, such as submitting forms, changing settings, or performing actions on the victim's behalf without their consent. The integrity of user actions is compromised, while confidentiality may also be affected if the attacker can access sensitive information through the subframe.

Mitigation

Apple addressed this issue in Safari 4.0 [1] and iOS 3.0 Software Update (for iPhone OS 1.0 through 2.2.1 and iPod touch 1.1 through 2.2.1) [2]. No workarounds were provided for unpatched versions. Users should upgrade to the fixed versions to mitigate the risk.

References

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Safari35 versions
cpe:2.3:a:apple:safari:0.8:*:mac:*:*:*:*:*+ 34 more
- cpe:2.3:a:apple:safari:0.8:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:0.9:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:1.0.3:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:1.0:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:1.1:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:1.2:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:1.3.1:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:1.3.2:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:1.3:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:2.0.2:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:2.0.4:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:2.0:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.0.1:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.0.2:-:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.0.2:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.0.3:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.0.3:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.0.4:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.0.4:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.0:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.0:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.1.1:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.1.1:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.1.2:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.1.2:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.1:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.1:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.2.1:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.2.1:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.2.2:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.2.3:*:mac:*:*:*:*:*
- cpe:2.3:a:apple:safari:3.2:-:windows:*:*:*:*:*
- cpe:2.3:a:apple:safari:*:*:mac:*:*:*:*:*range: <=4.0_beta
- cpe:2.3:a:apple:safari:*:*:windows:*:*:*:*:*range: <=3.2.3
- (no CPE)range: <4.0
Apple Inc./Iphone Osllm-fuzzy
Range: 1.0 - 2.2.1
Apple Inc./iPhone OS for iPod touchllm-fuzzy
Range: 1.1 - 2.2.1
osv-coords
pkg:deb/debian/qt4-x11?arch=source
Range: < 4:4.6.2-4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.apple.com/archives/security-announce/2009/jun/msg00002.htmlnvdPatchVendor Advisory
support.apple.com/kb/HT3613nvdPatchVendor Advisory
www.vupen.com/english/advisories/2009/1522nvdPatchVendor Advisory
www.securityfocus.com/bid/35260nvdExploit
secunia.com/advisories/35379nvdVendor Advisory
lists.apple.com/archives/security-announce/2009/Jun/msg00005.htmlnvd
lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlnvd
osvdb.org/54981nvd
secunia.com/advisories/37746nvd
secunia.com/advisories/43068nvd
support.apple.com/kb/HT3639nvd
www.debian.org/security/2009/dsa-1950nvd
www.securityfocus.com/bid/35317nvd
www.vupen.com/english/advisories/2009/1621nvd
www.vupen.com/english/advisories/2011/0212nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000