Researchers have discovered a critical flaw in Apple's App Store and iTunes invoicing system that could allow attackers to hijack sessions, redirect to external sources and launch persistent phishing attacks.
Vulnerability Lab researcher Benjamin Kunz Mejri published details of the flaw and a proof of concept today.
The application-side input validation web vulnerability is deemed critical because it allows remote attackers to inject malicious code in Apple's flawed content function and services modules.
When a user buys something from iTunes or the App Store, Apple's systems use the device name as part of the invoice sent to the buyer and seller.
A remote hacker can exploit the flaw by manipulating the device name and replacing it with malicious code, which then gets sent on to the seller and buyer accounts through the invoice, Merji found.
Attackers could then hijack sessions, redirect to external sources and launch persistent phishing attacks as well as “persistent manipulation of affected or connected service module context,” Mejri warned.
"The invoice is present to both parties (buyer and seller) which demonstrates a significant risk to buyers, sellers or Apple website managers/developers," he said.
"The issue impact [is] also the risk that a buyer can be the seller by usage of the same name to compromise the store online service integrity."
Reproducing the vulnerability was as easy as replacing your device name with malicious code, buying something from the App Store or iTunes, and receiving the invoice generated after the purchase which contains the malicious script, he said.
Mejri discovered the vulnerability in June and reported it to Apple.
It appears the company patched the hole soon after being notified of its existence.
Apple included fixes for 80 security issues in its most recent set of patches for OS X and iOS earlier this month.
