ras-slava - Fotolia
Vulnerability Lab researchers found two flaws in Apple's iTunes and App Store that attackers could use to inject malicious script into the application side of the services. The flaws can be exploited through Apple's new Notify function, which gathers information from devices and alerts users when an application has debuted. How do these vulnerabilities work? What can Apple users do to secure their devices?
Software vendors are constantly adding new features to their products in order to drive sales and keep existing customers. Like with any change to a program's functionality, new pieces of code should be rigorously tested for logic flaws and potential vulnerabilities before its public release. Software developers should be able to avoid repeating past coding errors if there is a proper lessons learned element to the software development lifecycle.
Unfortunately, the Apple Notify function for iOS version 10.2 devices contained similar flaws to those previously discovered in Apple's invoice management system (Apple Security ID 623920272). Although the flaws were not easily exploitable, Apple was forced to disable the Notify function.
In 2015, security researcher Benjamin Kunz Mejri discovered a vulnerability within Apple's App Store and the iTunes invoice management system that enabled him to inject malicious code into an invoice document. Mejri later found a similar exploitation scenario in the Apple Notify function. The function was meant for users who wanted to be alerted when a new app became available. An email would be sent to the user's device when the selected title went live on the App Store. Mejri verified his exploit worked when Apple sent out its first notification for the new Super Mario Run app on Dec. 15, 2016.
The vulnerability leverages various flaws in the iTunes application and the App Store's iOS Notify function to enable a remote attacker to inject malicious script into the email from Notify.
Moreover, the remote attacker can set the victim's iCloud email as their primary email address without any confirmation from the victim. When Apple sends the Notify email, it would go to the user's primary email and include the malicious payload inserted by the attacker into the device name field. The payload would execute because Apple's email client also fails to scan the content of emails.
This series of vulnerabilities provides several options for an attacker to further compromise the device and the user, such as session hijacking, persistent phishing attacks and persistent redirects to attacker-controlled sites. Until Apple releases a fix for all three vulnerabilities, users should not use the Apple Notify function.
Find out why QuickTime for Windows was suddenly moved to end of life by Apple
Learn how a pirated app beat Apple's App Store security review
Discover how iOS 10 security checks enable decryption of local backups
Dig Deeper on Email and messaging threats
Related Q&A from Michael Cobb
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading