Critical vulnerability in Apple App Store and iTunes could impact millions of Apple users



Security researcher discovers critical persistent injection vulnerability in Apple App Store and iTunes

A security research from Vulnerability Lab has discovered a critical flaw in Apple’s App Store and iTunes invoice system which could result in session hijacking and malicious invoice manipulation leaving millions of Apple users at risk.
Security researcher Benjamin Kunz Mejri from Vulnerability Lab revealed the persistent injection flaw on his website and said that the vulnerability allows remote attackers to inject malicious script codes into flawed content function and service modules.  The vulnerability has been deemed critical and assigned CVSS 5.8 severity rating.  It is basically a Application-Side input validation web vulnerability that actually resides in the Apple App Store invoice module and is remotely exploitable by both sender as well as the receiver.
According to Mejri, an attacker can exploit the flaw by manipulating a name value (device cell name) within the invoice module through an exchange of malicious specially scripted code. If a product is purchased in Apple’s stores, the backend takes the device value and encodes it with manipulated conditions in order to generate an invoice before sending it on to the seller.  This results in an Application-side script code execution in the invoice of Apple.
Mejri said that the remote hackers can manipulate the vulnerability through persistent manipulated context to other Apple store user accounts, whether they are senders or receives. Mejri states on his blog :
“The invoice is present to both parties (buyer & seller) which demonstrates a significant risk to buyers, sellers or apple website managers/developers.The issue impact also the risk that a buyer can be the seller by usage of the same name to compromise the store online service integrity.”
The exploit can be used to hijack user sessions, launch persistent phishing attacks, create persistent redirects to external sources and manipulate affected or connected service modules.

Proof of Concept :

(Your Invoice by Apple)

<tbody><tr style="background-color: rgb(245,245,245);" class="section-header" height="24">
          <td colspan="2" style="width:350px;padding-left:10px;border-top-left-radius:3px;border-bottom-left-radius:3px;" width="350"><span style="font-size:14px;font-weight:500;">App Store</span></td>
          <td style="width:100px;padding-left:20px;" width="100"><span style="color:rgb(153,153,153);font-size:10px;position:relative;top:1;">TYP</span></td>
          <td style="width:120px;padding-left:20px;" width="120"><span style="color:rgb(153,153,153);font-size:10px;position:relative;top:1;">GEKAUFT BEI</span></td>
          <td style="width:100px;padding-right: 20px;position:relative;top:1;border-top-right-radius:3px;border-bottom-right-radius:3px;" width="90" align="right"><span style="color:rgb(153,153,153);font-size:10px;white-

space:nowrap;">PREIS</span></td>
        </tr>

<tr height="90">
<td class="artwork-cell" style="padding:0 0 0 20px;margin:0;height:60px;width:60px;" width="60" align="center">
            <img src="http://a258.phobos.apple.com/us/r30/Purple7/v4/9d/2b/2d/9d2b2d60-5433-a45e-02fe-12c0f14a1b7b/icon134x134.png" alt="DuckTales: Remastered" style="border:none;padding:0;margin:0;-ms-interpolation-mode: 

bicubic;border-radius:14px;border:1px solid rgba(128,128,128,0.2);" border="0" height="60" width="60">
          </td>
                    <td style="padding:0 0 0 20px;width:260px;line-height:15px;" class="item-cell" width="260">
            <span class="title" style="font-weight:600;">DuckTales: Remastered</span><br>
            <span class="artist" style="color:rgb(153,153,153);">Disney</span><br>                        <span class="item-links" style="font-size:10px;">
                <a href="https://userpub.itunes.apple.com/WebObjects/MZUserPublishing.woa/wa/addUserReview?cc=de&id=925209077&mt=8&o=i&type=App" style="color:#0073ff;">Eine Rezension schreiben</a> | <a 

href="https://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/reportAProblem?a=925209077&cc=de&d=1666419925&o=i&p=91003564004457&pli=91006585722774" style="color:#0073ff;">Problem melden</a>            </span>
          </td>
          <td class="type-cell" style="padding:0 0 0 20px;width:100px;" width="100">
<span style="color:rgb(153,153,153)">App</span></td>
<td class="device-cell" style="padding:0 0 0 20px;width:120px;" width="120">
<span style="color:rgb(153,153,153);">[PERSISTENT INJECTED SCRIPT CODE VULNERABILITY!]bkm337"><img src="x">%20<iframe src="a">%20<iframe></span></td>
          <td width="90" class="price-cell" align="right" style="padding:0 20px 0 0;width:100px;"><span style="font-weight:600;white-space:nowrap;">9,99 €</span></td>
        </tr>

Note: We used the ducktales remake app to approve the zero-day remote vulnerability in the itunes and appstore without malicious perpose!
A video showing a proof-of-concept (PoC) demo is shown below with step by step.

Mejri notified the Apple about the vulnerability on 8th June and has not revealed the date on which the exploit has been patched by Apple . The disclosure timeline is below.
  • 2015-06-08: Researcher Notification & Coordination (Benjamin Kunz Mejri)
  • 2015-06-09: Vendor Notification (Apple Product Security Team)
  • 2015-**-**: Vendor Response/Feedback (Apple Product Security Team)
  • 2015-**-**: Vendor Fix/Patch Notification (Apple Developer Team)
  • 2015-07-27: Public Disclosure (Vulnerability Laboratory)
Apple has not yet commented on the issue.

0 comments: