Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday January 19 2017, @12:26AM   Printer-friendly
from the another-day-another-exploit dept.

Arthur T Knackerbracket has found the following story:

Apple is reportedly aware of and is in the middle of fixing a pair of vulnerabilities that exist in iTunes and the App Store. If exploited, researchers claim an attacker could inject malicious script into the application side of the vulnerable module or function.

Vulnerability Lab's Benjamin Kunz Mejri disclosed the vulnerabilities on Monday, explaining the issues can be jointly exploited via iTunes and the App Store's iOS "Notify" function.

Apple implemented the function in September, in the weeks leading up to the release of the game Super Mario Run. The function takes information from the device, such iCloud credentials or devicename values, to alert users when a soon-to-launch application debuts.

Mejri, the firm's founder, claims the Notify functionality can be exploited via a persistent input validation vulnerability and mail encoding web vulnerability. An attacker could substitute the name variable–the vulnerable firstname parameter–with a script launching a payload.

Mejri said the issue stems from how Apple sends notifications from its @new-itunes.com web server; which doesn't properly validate the iCloud name or devicename parameter. Instead of displaying introductory text, it can be rigged to execute malicious payloads.

"The vulnerability can be exploited on restricted accessible iOS devices to the main account holder inbox," Mejri wrote in his disclosure Monday, "The issue could be used as well to continue to calendar spam activities."

Mejri told Threatpost Tuesday that while the issue isn't highly exploitable, it "definitely has a nice impact." Exploiting the persistent input validation flaw would be easier, because it only requires an Apple account and "low or medium user interaction," according to the researcher. Ultimately, if stitched together, he warns, the bugs could result in session hijacking, persistent phishing attacks, and persistent redirect to external sources.

[...] The vulnerability is similar to one disclosed by Vulnerability Lab and patched by Apple in iTunes and the App Store a year and a half ago. Before it was fixed, like this week's issue, an attacker could have remotely injected script into invoices, something that could have lead to hijacking, phishing, and redirect.

-- submitted from IRC


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: -1, Troll) by Anonymous Coward on Thursday January 19 2017, @12:33AM

    by Anonymous Coward on Thursday January 19 2017, @12:33AM (#455800)

    iApps Tune Store is for idiots. Anyone who is smart enough to exploit it should be ashamed to use it long enough to discover vulnerabilities.

  • (Score: 0) by Anonymous Coward on Thursday January 19 2017, @12:24PM

    by Anonymous Coward on Thursday January 19 2017, @12:24PM (#456006)

    The function takes information from the device, such iCloud credentials or devicename values, to alert users when a soon-to-launch application debuts.

    Can anyone tell me why this functionality would need such sensitive data? The very fact that they considered it a good idea to use that information in this context makes me very suspicious about how serious they take their users' security.