CVE-2015-5759

Vulnerability

A spoofing vulnerability exists in the WebKit rendering engine used in Apple iOS versions prior to 8.4.1. The issue arises from improper handling of tap events when processing content from a remote website. By crafting a site that leverages these events, an attacker can make the browser interpret a user's tap as occurring at a location different from the intended target, effectively spoofing clicks on visible UI elements. The affected versions are iOS 8.4.0 and earlier across all supported devices at the time.

Exploitation

An attacker needs only to host a malicious website and lure the victim into visiting it with a vulnerable iOS browser (e.g., Safari). The attack requires no special network position or authentication; the victim's device must simply process the crafted tap event sequences delivered via the malicious site. No user interaction beyond visiting the page is required—the spoofed clicks are triggered by normal tap gestures.

Impact

Successful exploitation allows the attacker to misdirect the user's taps to arbitrary on-screen elements. This can lead to unintended actions such as activating buttons, following disguised links, or granting permissions without the user's awareness. The impact is primarily on integrity (user actions are subverted) and confidentiality (unintended actions may leak data), but does not typically lead to arbitrary code execution or system-level compromise.

Mitigation

Apple addressed this vulnerability in iOS 8.4.1, released on August 13, 2015. Users should update their devices to iOS 8.4.1 or later via the Software Update mechanism. No workarounds are available for unpatched versions [1].