Zero Day for Apple App Store, iTunes

Wednesday, July 29, 2015 @ 01:07 PM gHale

With more people using iPhones in the manufacturing automation industry, there is a Zero Day word of warning regarding the usage of the AppStore or the iTunes store.

A filter bypass Zero Day in Apple’s online AppStore and iTunes store could allow an attacker to hijack users’ purchasing sessions, buy and download any app or movie they want, then charge it to the original user.

Mobile IE Zero Days
Microsoft Fixes New Windows Zero Day
Microsoft Patches Zero Day Holes
Flash Zero Days Abound

German security researcher and Vulnerability Lab founder, Benjamin Kunz Meyri discovered this filter bypass flaw in Apple’s online invoicing system.

He published his findings on Full Disclosure after letting Apple know of the weakness June 9.

Apple apparently did get the notification and its developer team did fix the problem, but when remains a bit of a mystery.

Vulnerability Lab said the vulnerability “demonstrates a significant risk to buyer, sellers or Apple website managers/developers”. And it warns attackers only need “a low-privilege Apple AppStore/iCloud account and low or medium user interaction” to carry out the attack.

Vulnerability Lab describes the problem as an application-side input validation bug which allows remote hackers to inject their own malicious code into the Apple online service, and change the buyer’s name to make their purchase.

It lists the manual steps to exploit the vulnerability as:
1. Inject script code to your device cell name.
2. Buy an article using the Apple iTunes or AppStore online service (via app or desktop browser).
3. Choose any app or movie that you would like to buy and download it.
4. After the download an invoice arrives to the user’s inbox.

“Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of the affected or connected service module,” Vulnerability Lab said.