A serious remote vulnerability has been uncovered in Apple’s AppStore and iTunes web applications that posed “a significant risk to buyers, sellers or Apple website managers/developers”.
A security researcher at Vulnerability Lab found that Apple’s systems were too trusting in the way that they handled device names, a mistake that left users vulnerable to serious XSS (Cross-site Scripting) attacks.
The problem (Apple Security ID 623920272) was identified by Benjamin Kunz Mejri on 8 June 2015 and awarded a severity level of High and a CVSS score of 5.9. He disclosed it to Apple the following day and it has since been fixed.
Your iPhone’s name should be an innocuous piece of information but by failing to treat it with the required suspicion, Apple inadvertently made it a backdoor.
Your mobile device’s name is sent to iTunes or AppStore servers, along with the rest of your purchase data, whenever you buy something, and it’s included in the email invoices Apple sends to buyers and sellers.
The researcher realised that whatever he put in to his phone’s device name field (it’s under Settings → General → About → Name) would end up, unchecked, in the emails.
If he replaced his device name with code then it was simply included, unchecked and unadulterated, as part of the underlying HTML code that lays out the invoices rather than as data within it.
In other words he could spike the automatically generated invoices by changing his device name to a string of malicious code.
For an attacker, that’s an open door:
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of affected or connected service module context.
Security best practice demands that any and all data that comes from a user, whether they enter it themselves or not, is treated as potentially hostile and handled accordingly.
For XSS attacks that means checking that the user-supplied data you get looks like the data you are expecting and then is escaped correctly whenever it’s used in programme output.
XSS vulnerabilities are well known, well understood and easy to defend against but they’re still one of the most common types of vulnerabilities found in web applications.
Big companies like Apple ought to have sufficient quality control in place to stop these kind of easily identified flaws before they get in to production.
That said, when mistakes do occur it’s important that they’re dealt with quickly and discretely so kudos to Vulnerability Lab for disclosing the issue responsibly, and to Apple for fixing it quickly.