Vulnerability-Lab Founder and security researcher Benjamin Kunz Mejri discovered an Application-Side input validation web vulnerability that actually resides in the Apple App Store invoice module and is remotely exploitable by both sender as well as the receiver.
The vulnerability, estimated as high in severity, has been reported to Apple Security team on June 9, 2015 and the company patched the issue within a month.
How the vulnerability works?
By exploiting the flaw, a remote hacker can manipulate the name value (device cell name) by replacing it with a malicious script code.
Now, if the attacker buys any product in the App Store or iTunes Store, the internal app store service takes the device value (which is actually the malicious code) and generates the invoice which is then sends to the seller account.
This results in an Application-side script code execution in the invoice of Apple.
In addition, remote hackers can manipulate the vulnerability through persistent manipulated context to other Apple store user accounts.
"The invoice is present to both parties (buyer & seller) which demonstrates a significant risk to buyers, sellers or apple website managers/developers," says the researcher. "The issue impact also the risk that a buyer can be the seller by usage of the same name to compromise the store online service integrity."
Successful exploitation of the bug could allow an attacker to perform a number of sensitive tasks, including
- Session hijacking
- Persistent redirect to external sources
- Persistent phishing attacks
- Persistent manipulation of affected service module context
Exploitation of the vulnerability requires a low privileged Apple web-application user (App Store/iCloud) account and low or medium user interaction.
The researcher published step by step method to exploit the flaw:
- Inject the malicious script code to your device cell name
- Buy an article by using Apple iTunes or App Store
- Select any App or Movie that you would like to Buy and Download
- After the download is completed, an Invoice receives to your inbox
- An application-side injected script code execution occurs in the arrived emails context next to the device-cell and type cell value parameters
- Successful reproduce of the remote vulnerability
You can also watch the video that shows the attack in work.