An invoice bug in Apple’s stores: a big trouble that passed by

August 6, 2015

Apple patched a serious issue in its App Store and iTunes Store, which could have undermined many of the businesses working in this ecosystem. A remote attacker could inject malicious script into invoices that came from Apple, which would subsequently lead to session hijacking, phishing, and redirect.

The information about the vulnerability became public late in July, while Apple had apparently patched the flaw a month prior – so the flaw isn’t there anymore.

The issue, an application-side input validation web vulnerability, was tied to the fact that when it comes to purchase invoices, Apple uses the name of users’ devices. According to Threatpost’s publication, it is something that attackers can manipulate via script code. User device names are usually arbitrary, but according to the security expert who discovered the bug, the App Store and iTunes take that device value and encodes it “with the wrong conditions.”

This means if an attacker were to put their code through Apple’s invoicing system, it would result in an application-side script code execution. After a purchase from either the App Store or iTunes, the invoice gets sent to the target’s email and triggers the malicious code.

wide

Severity level of this vulnerability is (was) considered high. Aside from the proof of concept, there are no reports of actual exploitation of the flaw, which is definitely good news.

In general, Apple’s software and its stores have a good reputation, security-wise. The company invests a lot of effort in security, even though hiccups do occur, albeit quite rarely.

That’s why the revelation of this bug is especially noteworthy. The possible attack would put at risk many businesses and individuals, who have become comfortable in assuming nothing perilous comes from Apple’s software and media stores. However, this particular bug shows that its infrastructure is not necessarily impeccable.

Android: financial attacks and current security status

This is a wide-scale problem, not limited to Apple’s stores (cybercriminals would rather choose other systems than Apple’s platforms). So it is highly recommended to stay alert – always – and keep security solutions active constantly.