Skip Ribbon Commands
Skip to main content
Computer Emergency Response Team of Mauritius (CERT-MU)
Computer Emergency Response Team of Mauritius>Apple Patches Remote ‘Invoice Vulnerability’ in iTunes, App Store

Apple Patches Remote ‘Invoice Vulnerability’ in iTunes, App Store


Apple recently patched a serious issue in its App Store and iTunes Store web app that could have let a remote attacker inject malicious script into invoices that come from Apple and subsequently lead to session hijacking, phishing, and redirect. The web vulnerability was unearthed in June. The vulnerability can be exploited by attackers when users do online purchases. Apple uses the name of users’ devices – something that attackers can manipulate via script code. User device names are usually arbitrary, but, according to the researcher, the App Store and iTunes takes that device value and encodes it with the wrong conditions. This means that if an attacker were to put their code through Apple’s invoicing system, it would result in application-side script code execution. After a purchase from either the App Store or iTunes, the invoice gets sent to the target’s email and triggers the malicious code. Remote attackers can manipulate the bug by interaction via persistent manipulated context to other Apple store user accounts. The vulnerability can be exploited by remote attackers and the malicious receiver/sender email is *@email.apple.com.
 
Source:
 
Threatpost
 
Team Cymru
 
Naked Security Sophos
 
ZDNet
 
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis