In November, Apple introduced a new App Store feature, dubbed "Notify" button — a bright orange button that users can click if they want to be alerted via iCloud Mail when any game or app becomes available on the App Store.
Vulnerability Lab's Benjamin Kunz Mejri discovered multiple vulnerabilities in iTunes's Notify feature and iCloud mail, which could allow an attacker to infect other Apple users with malware.
"Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of affected or connected service module context," Mejri wrote in an advisory published Monday.
Here's How the Attack Works?
The attack involves exploitation of three vulnerabilities via iTunes and the App Store's iOS Notify function.
When you click on notify feature for any unreleased app, the function automatically retrieves information from your device, including your devicename value and primary iCloud email id, to alert you when the soon-to-launch app debuts.
However, this devicename parameter is vulnerable to persistent input validation flaw, which allows an attacker to insert malicious javascript payload into the devicename field that would get executed on the victim's device in the result after successful exploitation.
Moreover, the remote attacker can even set the victim's iCloud email as his/her primary email address, without any confirmation from the victim's side, and that's where the second flaw resides.
So, now whenever the unreleased app will be available, Apple will send an email to victim's address and since the attacker had set the victim's email address as his/her own primary email at the time of subscribing to the notification.
So, the victim will receive that email from Apple, which will include the malicious payload inserted by the attacker into the devicename field.
Here the malicious payload will get executed at the victim's side, as shown in screenshots, and that's the third flaw in Apple's email client which fails to check the content of its email sent to its users.
Successful exploitation of the vulnerabilities could allow the attacker to perform various actions, such as session hijacking.
"The security risk of the persistent input validation and mail encoding web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 5.8," Mejri wrote.
"Exploitation of the persistent input validation and mail encoding web vulnerability requires a low privileged apple (appstore/iCloud) account and low or medium user interaction."Mejri said he first prepared to exploit code for the Notify function back in September when Apple first unveiled this feature. Around December 15 when Super Mario Run was released on Apple App Store, he confirmed that his exploit worked just well.
Apple is reportedly aware of the issues and is in the middle of fixing them.
