Vulnerability Lab founder Benjamin Kunz Mejri says he's found a security bug in Apple's Mac and iOS app stores that could be exploited to inject malicious JavaScript code into victims' web browsers. Mejri reported the "application-side input validation web vulnerability" to Apple in early June, and went public with details of the flaw on Monday this week after conversations with Apple's security team petered out.
"After we received no serious reply, we released the data," Mejri told El Reg in an email. Apple did not respond to a request for comment, and it's not clear if the vulnerability has been addressed.
In a nutshell, the bug works like this: you change the name of your iThing to include JavaScript code, then download or purchase an app from either the Mac or iTunes stores. Apple's systems generate an invoice, and email it to you and make a copy available online from your store account. That JavaScript code stashed in your device name will be embedded in the invoice, so opening it in a browser will execute it, allowing it to attempt to do bad things like hijack your Apple account. Sellers and Apple staff viewing a copy of the invoice will also get attacked.
As far as we can tell, the trick is to change the name of someone's iPhone, iPad or iPod to something containing evil code without them realizing the alteration, and then wait for them to make a purchase to trigger the script. It is a reminder that even well-paid and highly educated Apple engineers forget to validate their input data: the JavaScript should have been stripped out.
"Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources, and persistent manipulation of affected or connected service module context," he added.
A video showing how to exploit the hole can be seen here. Not allowing others to access your device would seem to be a simple cure.
(Score: 1) by Roger Murdock on Monday August 03 2015, @12:38AM
To make the attack, you don't need to control the app or have any contact with the app store. It's the victim's viewing of an invoice from an app store purchase that triggers the attack, it doesn't matter what they bought. You do need to be able to change the victim's device name though so...
(Score: 0) by Anonymous Coward on Monday August 03 2015, @02:58AM
... change it to some JavaScript long enough to generate an exploit.