Critical vulnerability in Apple App Store, iTunes revealed

The critical injection vulnerability potentially impacts millions of users.
Written by Charlie Osborne, Contributing Writer

A critical flaw has been discovered in Apple's App Store and iTunes invoice system which could result in session hijacking and malicious invoice manipulation.

Revealed this week by security researcher Benjamin Kunz Mejri from Vulnerability Lab, the persistent injection flaw, deemed critical, is an application-side input validation web vulnerability. In an advisory, the researcher said the vulnerability allows remote attackers to inject malicious script codes into flawed content function and service modules.

According to Mejri, an attacker can exploit the flaw by manipulating a name value (device cell name) within the invoice module through an exchange of malicious, scripted code. If a product is purchased in Apple's stores, the backend takes the device value and encodes it with manipulated conditions in order to generate an invoice before sending it on to the seller.

This results in application-side script code execution within the Apple invoice. The flaw has been issued a CVSS 5.8 severity rating.

In addition, cyberattackers can remotely manipulate this bug by interaction through persistent manipulated context to other Apple store user accounts, whether they be senders or receivers. The researcher says:

"The invoice is present to both parties (buyer & seller) which demonstrates a significant risk to buyers, sellers or apple website managers/developers.
The issue impact also the risk that a buyer can be the seller by usage of the same name to compromise the store online service integrity."

The exploit can be used to hijack user sessions, launch persistent phishing attacks, create persistent redirects to external sources and manipulate affected or connected service modules.

A video showing a proof-of-concept (PoC) demo is shown below. The researcher also published step-by-step instructions to exploit the vulnerability.

Mejri notified the iPad and iPhone maker of Vulnerability Lab's discovery on 8 June. The disclosure timeline is below.

  • 2015-06-08: Researcher Notification & Coordination (Benjamin Kunz Mejri)
  • 2015-06-09: Vendor Notification (Apple Product Security Team)
  • 2015-**-**: Vendor Response/Feedback (Apple Product Security Team)
  • 2015-**-**: Vendor Fix/Patch Notification (Apple Developer Team)
  • 2015-07-27: Public Disclosure (Vulnerability Laboratory)

Earlier this month, Apple patched a plethora of vulnerabilities in iOS and OS X. If exploited, the vulnerabilities allowed for problems including remote code execution, man-in-the-middle (MITM) attacks, application termination and the interception of encrypted traffic.

ZDNet has reached out to Apple and will update if we hear back.

Top 5 security practices in staying safe online: From the experts

Read on: Top picks

Editorial standards