{"id":224926,"date":"2026-03-18T02:31:00","date_gmt":"2026-03-18T06:31:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/18\/apple-fixes-webkit-vulnerability-enabling-same-origin-policy-bypass-on-ios-and-macos\/"},"modified":"2026-03-18T08:05:08","modified_gmt":"2026-03-18T12:05:08","slug":"apple-fixes-webkit-vulnerability-enabling-same-origin-policy-bypass-on-ios-and-macos","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/18\/apple-fixes-webkit-vulnerability-enabling-same-origin-policy-bypass-on-ios-and-macos\/","title":{"rendered":"Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/apple-fixes-webkit-vulnerability.html\">Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/apple-fixes-webkit-vulnerability.html\">https:\/\/thehackernews.com\/2026\/03\/apple-fixes-webkit-vulnerability.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-18 02:31:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Mar 18, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Zero-Day<\/span><\/p>\n<p>Apple on Tuesday released its first round of Background Security Improvements to address a security flaw in WebKit that affects iOS, iPadOS, and macOS.<\/p>\n<p>The vulnerability, tracked as CVE-2026-20643 (CVSS score: N\/A), has been described as a cross-origin issue in WebKit&#8217;s Navigation API that could be exploited to bypass the same-origin policy when processing maliciously crafted web content.<\/p>\n<p>The flaw affects iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. It has been addressed with improved input validation in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Security researcher Thomas Espach has been credited with discovering and reporting the shortcoming.<\/p>\n<p>Apple notes that Background Security Improvements are meant for delivering lightweight security releases for components such as the Safari browser, WebKit framework stack, and other system libraries through smaller, ongoing security patches rather than issuing them as part of larger software updates.<\/p>\n<p>The feature is supported and enabled for future releases starting with iOS 26.1, iPadOS 26.1, and macOS 26. In cases where compatibility issues are discovered, the improvements may be temporarily removed and then enhanced in a subsequent software update, Apple adds.<\/p>\n<p>Users can control Background Security Improvements via the Privacy and Security menu in the Settings app. To ensure that they are automatically installed, it&#8217;s advised to keep the &#8220;Automatically Install&#8221; option on.<\/p>\n<p>It&#8217;s worth noting that if users opt to have this setting disabled, they will have to wait until the improvements are included in the next software update. Viewed in that light, the feature is analogous to Rapid Security Response, which it introduced in iOS 16 as a way to install minor security updates.<\/p>\n<p>&#8220;If a Background Security Improvement has been applied, and you choose to remove it, your device reverts to the baseline software update (for&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/apple-fixes-webkit-vulnerability.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS https:\/\/thehackernews.com\/2026\/03\/apple-fixes-webkit-vulnerability.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":224927,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhrIGrK9v7gHMVWn2ApD_KeHXedmQ6FwRObZ4ZqEQssbaUU_8qjOSYBBRzZPzK0J8eHdH37Ws_n1u-ESXKJ1WEb4jjFcLn1Tdoj4n0z0wrfFj7X5DKIK8dzKYZ9uLDV2dg6HecUyRdUDkYR1LKkvhkGWBh_anbKF83bvLXUJBeTTwjCDeJ0V2hRAEN1bxhv\/s16000\/apple-hacking.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[27],"class_list":["post-224926","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/224926"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=224926"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/224926\/revisions"}],"predecessor-version":[{"id":224928,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/224926\/revisions\/224928"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/224927"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=224926"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=224926"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=224926"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}