Q
Problem solve Get help with specific problems with your technologies, process and projects.

The Apple Notify flaw: How does it allow malicious script injection?

Flaws in the Apple Notify function and iTunes can enable attackers to inject malicious script into the application side. Expert Michael Cobb explains how these vulnerabilities work.

Vulnerability Lab researchers found two flaws in Apple's iTunes and App Store that attackers could use to inject...

malicious script into the application side of the services. The flaws can be exploited through Apple's new Notify function, which gathers information from devices and alerts users when an application has debuted. How do these vulnerabilities work? What can Apple users do to secure their devices?

Software vendors are constantly adding new features to their products in order to drive sales and keep existing customers. Like with any change to a program's functionality, new pieces of code should be rigorously tested for logic flaws and potential vulnerabilities before its public release. Software developers should be able to avoid repeating past coding errors if there is a proper lessons learned element to the software development lifecycle.

Unfortunately, the Apple Notify function for iOS version 10.2 devices contained similar flaws to those previously discovered in Apple's invoice management system (Apple Security ID 623920272). Although the flaws were not easily exploitable, Apple was forced to disable the Notify function.

In 2015, security researcher Benjamin Kunz Mejri discovered a vulnerability within Apple's App Store and the iTunes invoice management system that enabled him to inject malicious code into an invoice document. Mejri later found a similar exploitation scenario in the Apple Notify function. The function was meant for users who wanted to be alerted when a new app became available. An email would be sent to the user's device when the selected title went live on the App Store. Mejri verified his exploit worked when Apple sent out its first notification for the new Super Mario Run app on Dec. 15, 2016.

The vulnerability leverages various flaws in the iTunes application and the App Store's iOS Notify function to enable a remote attacker to inject malicious script into the email from Notify.

When a user clicks on the Apple Notify feature for an unreleased app, the function automatically retrieves information from their device, including the device name value and the primary iCloud email ID. However, the value stored in the device name parameter is not validated or cleansed, resulting in a persistent input validation flaw. This means an attacker can enter a malicious JavaScript payload into the device name field and it won't be rejected when it's stored or merged into Notify's email HTML template.

Moreover, the remote attacker can set the victim's iCloud email as their primary email address without any confirmation from the victim. When Apple sends the Notify email, it would go to the user's primary email and include the malicious payload inserted by the attacker into the device name field. The payload would execute because Apple's email client also fails to scan the content of emails.

This series of vulnerabilities provides several options for an attacker to further compromise the device and the user, such as session hijacking, persistent phishing attacks and persistent redirects to attacker-controlled sites. Until Apple releases a fix for all three vulnerabilities, users should not use the Apple Notify function.

Next Steps

Find out why QuickTime for Windows was suddenly moved to end of life by Apple

Learn how a pirated app beat Apple's App Store security review

Discover how iOS 10 security checks enable decryption of local backups

This was last published in June 2017

Dig Deeper on Email and messaging threats

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your enterprise ensure the security of new Apple functions?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close