The Hacker News Logo
Subscribe to Newsletter

Apple App Store was vulnerable for more than Half year

A Google developer helps Apple to fixed a security flaw in its application store that for years has allowed attackers to steal passwords and install unwanted or extremely expensive applications.


Security loophole allowed attacker to hijack the connection, because Apple neglected to use encryption when an iPhone or other mobile device tries to connect to the App Store.
Researcher Elie Bursztein revealed on his blog that he had alerted Apple of numerous security issues last July but that Apple had only turned on HTTPS for the App Store last week.

An attacker only needs to be on the same network as the person who is using the App Store. From there, they can intercept the communications between the device and the App Store and insert their own commands.

The malicious user could take advantage of the unsecure connection to carry out a number of different attacks i.e steal a password, force someone to purchase an app by swapping it with a different app that the buyer actually intended to get or by showing fake app updates, prevent a person from installing an app by making it disappear from the App Store or force the App Store to show the entire list of apps installed on a device.

Bursztein has posted some videos that show the App Store holes in action, a couple of which can be found below:

He said that he alerted Apple to his findings back in early July of 2012, and Apple only turned on HTTPS encryption at the end of January and even the App Store existed for years without having HTTPS encryption.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.