Apple patches serious remotely exploitable iTunes and App Store flaw
Security researcher Benjamin Kunz Mejri from Vulnerability Lab has discovered a serious vulnerability in Apple’s App Store and iTunes web apps, which can lead to “session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of affected or connected service module context.”
Luckily, the researcher decided to share his discovery with Apple first, so that the company could fix the issue. They did, and he was finally able to disclose both the flaw and a PoC exploit for it on Monday.
The application-side input validation and mail encoding web vulnerability has been deemed high-risk, as it can be exploited by remote attackers with a low privilege web-application user account, with low or medium user interaction.
“The Apple iTunes and App Store is taking the device cell name of the buying users. Remote attackers can manipulate the name value by an exchange with script code (special chars). After that the attacker buys any article in the App Store or iTunes store,” the researcher explained in a security advisory.
“During that procedure the internal App Store service takes the device value and does encode it with wrong conditions. The seller account context runs since the error with the injected script code occurs and gets this way re-implemented to the invoice. Thus results in an application-side script code execution in the invoice of Apple.”
“Remote attackers can manipulate the bug by interaction via persistent manipulated context to other Apple store user accounts,” he explained. “The vulnerability can be exploited by remote attackers and the malicious receiver/sender email is *@email.apple.com. The invoice is present to both parties (buyer & seller) which demonstrates a significant risk to buyers, sellers or apple website managers/developers.”