[18] WebPaymentCoordinatorProxy_ShowPaymentUI handles arbitrary untyped image data

Severity: Low | Component: WebKit Apple Pay Installments IPC | c945958

Rated Low because the observable effect is removal of an unused IPC field — no bug-class incident is shown to have triggered, and the security value is purely attack-surface reduction (an unused base64 → NSData → PassKit pipeline removed before any concrete vulnerability surfaced).

Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in

-[CustomHeader] struct WebCore::ApplePayInstallmentConfiguration {
+[CustomHeader, CreateUsing=fromInstallmentConfiguration] struct WebCore::ApplePayInstallmentConfiguration {
     WebCore::ApplePaySetupFeatureType featureType;
-    String merchandisingImageData;
+    [NotSerialized] String merchandisingImageData;
     String openToBuyThresholdAmount;

Source/WebCore/Modules/applepay/PaymentInstallmentConfiguration.mm

- RetainPtr merchandisingImageData = adoptNS([[NSData alloc] initWithBase64EncodedString:coreConfiguration.merchandisingImageData.createNSString().get() options:0]);

- [configuration setMerchandisingImageData:merchandisingImageData.get()];

Patch Details

merchandisingImageData is marked [NotSerialized] in WebCoreArgumentCoders.serialization.in; the struct switches to [CreateUsing=fromInstallmentConfiguration] factory construction. A new ApplePayInstallmentConfigurationWebCore.cpp defines fromInstallmentConfiguration, reconstructing the struct on the receiving side with an empty placeholder string. PaymentInstallmentConfiguration.mm drops the WebContent-side base64 decode into NSData passed to [PKPaymentInstallmentConfiguration setMerchandisingImageData:] and the read-back round-trip; SPI entries are removed from PassKitInstallmentsSPI.h and AllowedSPI-legacy.toml. The web-facing dictionary field is retained as a no-op for API compatibility.

Unsanitized untyped data crossing a sandbox IPC boundary into a privileged image/data sink that no longer needs the input.

Background

ApplePayInstallmentConfiguration is the WebIDL dictionary describing an Apple Pay installments offer; created in WebContent from JS and passed to the UIProcess to render the payment sheet. PassKit (PKPaymentInstallmentConfiguration) renders the native payment sheet UI at higher privilege than WebContent. WebKit IPC serialization is field-by-field via WebCoreArgumentCoders.serialization.in; [NotSerialized] excludes a field from the wire format, [CreateUsing=...] directs the generator to construct via a static factory.

Analysis

Pre-fix, an attacker with WebContent access could send arbitrary base64 bytes that the UIProcess decoded into NSData and handed to PassKit's setMerchandisingImageData:. The commit message confirms the field was never actually consumed by Apple Pay. The pattern — a feature property defined in WebIDL, serialized over IPC, decoded in the UIProcess, but never consumed end-to-end — is recurring attack surface, especially when data is opaque (base64 blobs, untyped NSData, free-form strings handed to platform frameworks). The fix is also a worked example of how WebKit's serializer generator constrains struct layout; because the script could not synthesise a partial aggregate initializer, the team introduced [CreateUsing=...] rather than reorder the C++ struct.

🔒

Cross-process trust boundaries and the lifecycle of an unused-but-serialized IPC field — what attack surface did this actually remove?

Subscribe to read more

Audit directions

a Aaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaaaaaaaaa Aaaaaa Aa Aaaaaaaaaaaaaaa Aaaa Aaaaaaa Aaaaaaaaaa Aaaaaaaaa Aaaaaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaa Aa Aaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaa Aaaaaaaaaaa Aaaaaaaaa Aa Aaa Aaaaaaaaaa
a Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaaaaaa Aaaaaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaa Aaaaaaa Aaaaaa Aaaa Aaaaa Aa Aaaaaaaa Aaaaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaaaaaaaaaa
a Aaaaa Aaaaaa Aaa Aaaaaaaa Aaaaaaa Aaaaaaaa Aaaaa Aaaaaa Aaaaaa Aaaaaa Aaaaaaa Aaaa a Aaaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaa Aaaa Aaaaaaaaa Aaaaaaaaaaaaaaaaaa Aaaaaaa
a Aaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaa Aaa Aaa Aaaaaaaaaaaaa Aaa Aaaaaaaa Aa Aaa Aaa Aaaaaaaa Aaaaaa Aaa Aaaaaaaaaaa Aaaaaa Aaaaaa Aa Aaaaaaaa Aa Aaaaaaaa Aaa Aaaaaaaaaa Aaa Aaaaaa

🔒

Several reusable audit patterns identified for WebContent→UIProcess IPC hardening, with concrete starting points across multiple Modules.

Subscribe to read more