Bug hunter reveals Apple iTunes, Mac app store receipt deceit

Inject evil JavaScript code via the device name? Don't mind if we do

Vulnerability Lab founder Benjamin Kunz Mejri says he's found a security bug in Apple's Mac and iOS app stores that could be exploited to inject malicious JavaScript code into victims' web browsers.

Mejri reported the "application-side input validation web vulnerability" to Apple in early June, and went public with details of the flaw on Monday this week after conversations with Apple's security team petered out.

"After we received no serious reply, we released the data," Mejri told El Reg in an email. Apple did not respond to a request for comment, and it's not clear if the vulnerability has been addressed.

In a nuthsell, the bug works like this: you change the name of your iThing to include JavaScript code, then download or purchase an app from either the Mac or iTunes stores. Apple's systems generate an invoice, and email it to you and make a copy available online from your store account.

That JavaScript code stashed in your device name will be embedded in the invoice, so opening it in a browser will execute it, allowing it to attempt to do bad things like hijack your Apple account. Sellers and Apple staff viewing a copy of the invoice will also get attacked.

As far as we can tell, the trick is to change the name of someone's iPhone, iPad or iPod to something containing evil code without them realizing the alteration, and then wait for them to make a purchase to trigger the script. It is a reminder that even well-paid and highly educated Apple engineers forget to validate their input data: the JavaScript should have been stripped out.

"The vulnerability allows remote attackers to inject [their] own malicious script code," German-speaking Mejri explained.

"Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources, and persistent manipulation of affected or connected service module context," he added.

A video showing how to exploit the hole can be watched below. ®

Youtube video

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017