Critical vulnerability in Apple App Store and iTunes could impact millions of Apple users



Security researcher discovers critical persistent injection vulnerability in Apple App Store and iTunes

A security research from Vulnerability Lab has discovered a critical flaw in Apple’s App Store and iTunes invoice system which could result in session hijacking and malicious invoice manipulation leaving millions of Apple users at risk.

Security researcher Benjamin Kunz Mejri from Vulnerability Lab revealed the persistent injection flaw on his website and said that the vulnerability allows remote attackers to inject malicious script codes into flawed content function and service modules.  The vulnerability has been deemed critical and assigned CVSS 5.8 severity rating.  It is basically a Application-Side input validation web vulnerability that actually resides in the Apple App Store invoice module and is remotely exploitable by both sender as well as the receiver.

According to Mejri, an attacker can exploit the flaw by manipulating a name value (device cell name) within the invoice module through an exchange of malicious specially scripted code. If a product is purchased in Apple’s stores, the backend takes the device value and encodes it with manipulated conditions in order to generate an invoice before sending it on to the seller.  This results in an Application-side script code execution in the invoice of Apple.

Mejri said that the remote hackers can manipulate the vulnerability through persistent manipulated context to other Apple store user accounts, whether they are senders or receives. Mejri states on his blog :
“The invoice is present to both parties (buyer & seller) which demonstrates a significant risk to buyers, sellers or apple website managers/developers.The issue impact also the risk that a buyer can be the seller by usage of the same name to compromise the store online service integrity.”

The exploit can be used to hijack user sessions, launch persistent phishing attacks, create persistent redirects to external sources and manipulate affected or connected service modules.



Proof of Concept :

(Your Invoice by Apple)

<tbody><tr style="background-color: rgb(245,245,245);" class="section-header" height="24">
          <td colspan="2" style="width:350px;padding-left:10px;border-top-left-radius:3px;border-bottom-left-radius:3px;" width="350"><span style="font-size:14px;font-weight:500;">App Store</span></td>
          <td style="width:100px;padding-left:20px;" width="100"><span style="color:rgb(153,153,153);font-size:10px;position:relative;top:1;">TYP</span></td>
          <td style="width:120px;padding-left:20px;" width="120"><span style="color:rgb(153,153,153);font-size:10px;position:relative;top:1;">GEKAUFT BEI</span></td>
          <td style="width:100px;padding-right: 20px;position:relative;top:1;border-top-right-radius:3px;border-bottom-right-radius:3px;" width="90" align="right"><span style="color:rgb(153,153,153);font-size:10px;white-

space:nowrap;">PREIS</span></td>
        </tr>

<tr height="90">
<td class="artwork-cell" style="padding:0 0 0 20px;margin:0;height:60px;width:60px;" width="60" align="center">
            <img src="https://a258.phobos.apple.com/us/r30/Purple7/v4/9d/2b/2d/9d2b2d60-5433-a45e-02fe-12c0f14a1b7b/icon134x134.png" alt="DuckTales: Remastered" style="border:none;padding:0;margin:0;-ms-interpolation-mode: 

bicubic;border-radius:14px;border:1px solid rgba(128,128,128,0.2);" border="0" height="60" width="60">
          </td>
                    <td style="padding:0 0 0 20px;width:260px;line-height:15px;" class="item-cell" width="260">
            <span class="title" style="font-weight:600;">DuckTales: Remastered</span><br>
            <span class="artist" style="color:rgb(153,153,153);">Disney</span><br>                        <span class="item-links" style="font-size:10px;">
                <a href="https://userpub.itunes.apple.com/WebObjects/MZUserPublishing.woa/wa/addUserReview?cc=de&id=925209077&mt=8&o=i&type=App" style="color:#0073ff;">Eine Rezension schreiben</a> | <a 

href="https://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/reportAProblem?a=925209077&cc=de&d=1666419925&o=i&p=91003564004457&pli=91006585722774" style="color:#0073ff;">Problem melden</a>            </span>
          </td>
          <td class="type-cell" style="padding:0 0 0 20px;width:100px;" width="100">
<span style="color:rgb(153,153,153)">App</span></td>
<td class="device-cell" style="padding:0 0 0 20px;width:120px;" width="120">
<span style="color:rgb(153,153,153);">[PERSISTENT INJECTED SCRIPT CODE VULNERABILITY!]bkm337"><img src="x">%20<iframe src="a">%20<iframe></span></td>
          <td width="90" class="price-cell" align="right" style="padding:0 20px 0 0;width:100px;"><span style="font-weight:600;white-space:nowrap;">9,99 €</span></td>
        </tr>

Note: We used the ducktales remake app to approve the zero-day remote vulnerability in the itunes and appstore without malicious perpose!

A video showing a proof-of-concept (PoC) demo is shown below with step by step.

Mejri notified the Apple about the vulnerability on 8th June and has not revealed the date on which the exploit has been patched by Apple . The disclosure timeline is below.

  • 2015-06-08: Researcher Notification & Coordination (Benjamin Kunz Mejri)
  • 2015-06-09: Vendor Notification (Apple Product Security Team)
  • 2015-**-**: Vendor Response/Feedback (Apple Product Security Team)
  • 2015-**-**: Vendor Fix/Patch Notification (Apple Developer Team)
  • 2015-07-27: Public Disclosure (Vulnerability Laboratory)

Apple has not yet commented on the issue.

vijay

Recent Posts

Windows 10 October 2018 Update Rolls Out Again, Still Full Of Flaws

Windows 10 October Update Still Incompatible With Some AMD GPUs After a delay of over a month, Microsoft finally re-released…

13 hours ago

10 Best Anime Torrent Websites In 2018

All forms of animated media or often referred to as Anime has millions of fans across the globe. Anime is…

17 hours ago

iPhone X, Samsung Galaxy S9, Xiaomi Mi 6 Hacked At Pwn2Own Tokyo 2018

iPhone X, Samsung Galaxy S9, and Xiaomi Mi 6 fall prey to hacking in the Pwn2Own hacking competition in Tokyo…

2 days ago

Microsoft Releases The New Light Theme In Windows 10 19H1 Insider Build 18282

Microsoft rolls out Windows 10 19H1 build 18282 to Insiders with a new light theme Microsoft released Windows 10 Insider…

2 days ago

Microsoft finally re-releases Windows 10 October 2018 Update

Microsoft resumes rollout of Windows 10 October 2018 (version 1809)update Microsoft has finally re-released its latest Windows 10 October 2018…

2 days ago

iPhone X explodes after iOS 12.1 Update

Recently Apple Support has responded to a report of an exploding iPhone X, where the victim is claiming that while he was…

2 days ago