Apple App Store and iTunes buyers hit by zero-day

A zero-day flaw in Apple's online AppStore and iTunes store reportedly allows attackers to hijack users' purchasing sessions, buy and download any app or movie they want, then charge it to the original user.

Apple App Store and iTunes buyers hit by zero-day
Apple App Store and iTunes buyers hit by zero-day

The filter bypass flaw in Apple's online invoicing system has been found by German security researcher and Vulnerability Lab founder, Benjamin Kunz Meyri.

He published his findings on Full Disclosure yesterday, after first alerting Apple to the bug on 9 June. It is not clear from the reported timeline when Apple fixed the bug.

Vulnerability Lab says the zero-day “demonstrates a significant risk to buyer, sellers or Apple website managers/developers”. And it warns that attackers only need “a low-privilege Apple AppStore/iCloud account and low or medium user interaction” to carry out the attack.

Vulnerability Lab describes the problem as an application-side input validation bug which allows remote hackers to inject their own malicious code into the Apple online service, and change the buyer's name to make their purchase.

It lists the manual steps to exploit the vulnerability as:

1. Inject script code to your device cell name.

2. Buy an article using the Apple iTunes or AppStore online service (via app or desktop browser).

3. Choose any app or movie that you would like to buy and download it.

4. After the download an invoice arrives to the user's inbox.

Vulnerability Lab says: “Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of the affected or connected service module.”

A video of the attack being carried out is available on YouTube here.

Benjamin Kunz Mejri is a pen tester and security analyst who founded Vulnerability Lab in 2010. The company is partly funded by earning bug bounties, and Kunz Meyri has discovered 0-days in software from Google, Facebook, Microsoft, PayPal, Kaspersky, McAfee and others, as well as Apple.

Commenting on his findings, UK security expert John Walker, Visiting Professor at Nottingham Trent University and CEO of security services firm Hexforensics, said that zero-days like this have to be expected.

“We are living in a world which has become over-reliant on the complexities of code, and associated third-party interfaces that maintain the operability of the end-user experience,” he told SCMagazineUK.com via email.

“There is no guarantee that there may not be some chink in the security elements of the software development language. We the public must accept that this zero-day which has occurred is not a one-off, and for sure it will not be the last.”

Vulnerability Lab and Apple were contacted for their comments but had not responded by time of writing.