Vulnerability Lab researchers found two flaws in Apple's iTunes and App Store that attackers could use to inject...
malicious script into the application side of the services. The flaws can be exploited through Apple's new Notify function, which gathers information from devices and alerts users when an application has debuted. How do these vulnerabilities work? What can Apple users do to secure their devices?
Software vendors are constantly adding new features to their products in order to drive sales and keep existing customers. Like with any change to a program's functionality, new pieces of code should be rigorously tested for logic flaws and potential vulnerabilities before its public release. Software developers should be able to avoid repeating past coding errors if there is a proper lessons learned element to the software development lifecycle.
Unfortunately, the Apple Notify function for iOS version 10.2 devices contained similar flaws to those previously discovered in Apple's invoice management system (Apple Security ID 623920272). Although the flaws were not easily exploitable, Apple was forced to disable the Notify function.
In 2015, security researcher Benjamin Kunz Mejri discovered a vulnerability within Apple's App Store and the iTunes invoice management system that enabled him to inject malicious code into an invoice document. Mejri later found a similar exploitation scenario in the Apple Notify function. The function was meant for users who wanted to be alerted when a new app became available. An email would be sent to the user's device when the selected title went live on the App Store. Mejri verified his exploit worked when Apple sent out its first notification for the new Super Mario Run app on Dec. 15, 2016.
The vulnerability leverages various flaws in the iTunes application and the App Store's iOS Notify function to enable a remote attacker to inject malicious script into the email from Notify.
Moreover, the remote attacker can set the victim's iCloud email as their primary email address without any confirmation from the victim. When Apple sends the Notify email, it would go to the user's primary email and include the malicious payload inserted by the attacker into the device name field. The payload would execute because Apple's email client also fails to scan the content of emails.
This series of vulnerabilities provides several options for an attacker to further compromise the device and the user, such as session hijacking, persistent phishing attacks and persistent redirects to attacker-controlled sites. Until Apple releases a fix for all three vulnerabilities, users should not use the Apple Notify function.
Find out why QuickTime for Windows was suddenly moved to end of life by Apple
Learn how a pirated app beat Apple's App Store security review
Discover how iOS 10 security checks enable decryption of local backups
Dig Deeper on Email and messaging threats
Related Q&A from Michael Cobb
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ...continue reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ...continue reading
App trackers were found in hundreds of Google Play apps. Expert Michael Cobb explains the threat they pose and how GDPR has the potential to reduce ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.