Skip to content ↓ | Skip to navigation ↓

Apple has patched an application-side input validation web vulnerability in iTunes and the App Store that allowed attackers to inject malicious code into user invoices.

The vulnerability received a ‘High’ severity level and a CVSS rating of 5.8. It allows for session hijacking, persistent phishing attacks, and other malicious activities.

Benjamin Kunz Mejri, a researcher with Vulnerability Lab who discovered the bug, has provided some background on the vulnerability.

“The Apple iTunes and App Store is taking the device cell name of the buying users,” Mejri explains in a post. “Remote attackers can manipulate the name value by an exchange with script code (special chars). After that the attacker buys any article in the App Store or iTunes-store. During that procedure the internal App Store service takes the device value and does encode it with wrong conditions. The seller account context runs since the error with the injected script code occurs and gets this way re-implemented to the invoice. Thus results in an application-side script code execution in the invoice of Apple.”

To clarify, Mejri found that he could input anything into the name field of his device when making a purchase on either iTunes or the App Store. This included malicious code, which would be passed to both the buyer and seller via email notification in unadulterated HTML.

The researcher goes on to explain that remote attackers could manipulate the bug via persistent manipulated context to other Apple store user accounts and thereby pose a significant risk to sellers, buyers, and Apple web managers and developers.

A proof of concept for the bug can be viewed below:

Mejri first disclosed the vulnerability to Apple on June 8th of this year. It is unclear when exactly the issue was patched.

UK security expert John Walker, Visiting Professor at Nottingham Trent University, CEO of security services firm Hexforensics, and regular contributor for The State of Security, feels that similar vulnerabilities are on the way.

“We are living in a world which has become over-reliant on the complexities of code, and associated third-party interfaces that maintain the operability of the end-user experience,” he told via email. “There is no guarantee that there may not be some chink in the security elements of the software development language. We the public must accept that this zero-day which has occurred is not a one-off, and for sure it will not be the last.”

Neither Vulnerability Lab nor Apple could be reached at the time of this writing.