Apple has recently patched a serious issue plaguing its App Store and iTunes Store web app that could allow an attacker to remotely inject a malicious script into invoices that come directly from Apple and could lead to session hijacking, phishing or a redirect.
The vulnerability was uncovered back in June by Benjamin Kunz Mejri, a researcher at Vulnerability Lab, where he reported it to the tech giants security team.
Mejri, who claims the flaw “demonstrates a significant risk to buyers, sellers or Apple website managers/developers,” published details on the flaw along with a proof-of-concept video debuting the flaw on Monday.
Successful exploitation of the vulnerability could allow an attacker to perform any number of sensitive tasks, including session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of affected or connected service module context.
Mejri wasn’t able to reveal when Apple began to address the serious vulnerability, but if the company’s latest iTunes update that went live on June 30 wasn’t any indication, Apple may have been working to fix the issue within less than a months time.
The flaw, which is an application-side input validation web vulnerability, is allegedly tied to the fact that when a purchase invoice is sent, Apple uses the name of the users’ device, something attackers are able to manipulate via script code. Apple device names are generally arbitrary, yet, according to Mejri, the App Store and iTunes take the device value and encode it improperly with the wrong conditions.
All of this mean if an attacker were to inject their code into Apple’s invoicing system, it would result in the execution of application-side script code. Following a purchase from either the App Store or iTunes, the Apple invoice gets sent to the target’s email and triggers the malicious code injection.
“Remote attackers can manipulate the bug by interaction via persistent manipulated context to other Apple store user accounts,” Merjri explained Monday. “The vulnerability can be exploited by remote attackers and the malicious receiver/sender email is *@email.apple.com.”
Mejri said the flaw can be mimicked in six simple steps:
- Inject script code to your device cell name
- Buy an article by usage of the apple itunes or appstore online-service (via app or desktop browser)
- Choose any app or movie that you would like to buy and download it
- After the download an invoice arrives to the users inbox
- Note: The appstore runs since the gets the wrong encoded values and stops which results in the manipulated device name value in the seller name input
- The application-side injected script code execution occurs in the arrived emails context next to the device-cell and type cell value parameters
- Successful reproduce of the remote vulnerability!