Apple App Store and iTunes Store - Filter Bypass & Persistent Invoice Web Vulnerability

Apple iTunes & AppStore - (Invoice) Persistent Input Validation & Mail Encoding Web Vulnerability

Apple App Store and iTunes Store - Filter Bypass & Persistent Invoice Web Vulnerability

An application-side input validation web vulnerability has been discovered in the official Apple - App Store and iTunes Store online-service web-application. Vulnerability-Lab Founder and Researcher Benjamin Kunz-Mejri discovered a vulnerability that allows remote attackers to inject own malicious script codes to the application-side of the vulnerable context function or service module. The Vulnerability has been reported to Apple Security team on June 9, 2015 and they accepted it via mail response on June 29, 2015. Since then there was only a brief conversation about the issue and the status mails are not fully replied by Apple.

Proof of Concept

The apple itunes and appstore is taking the device cell name of the buying users. Remote attackers can manipulate the name value by an exchange with script code (special chars). After that the attacker buys any article in the appstore or itunes-store. During that procedure the internal appstore service takes the device value and does encode it with wrong conditions. The seller account context runs since the error with the injected script code occurs and gets this way re-implemented to the invoice. Thus results in an application-side script code execution in the invoice of apple. Remote attackers can manipulate the issue by interaction via persistent manipulated context to other apple store user accounts. The vulnerability can be exploited by remote attackers and the malicious receiver/sender email is * The invoice is present to both parties (buyer & seller) which demonstrates a significant risk to buyers, sellers or apple website managers/developers. The issue impact also the risk that a buyer can be the seller by usage of the same name to compromise the store online service integrity.

The security risk of the persistent input validation and mail encoding web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 5.8. Exploitation of the persistent input validation and mail encoding web vulnerability requires a low privilege apple (appstore/icloud) account and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of affected or connected service module context.

Vulnerability Disclosure Timeline

2015-06-09:    Researcher Notification & Coordination (Benjamin Kunz Mejri)
2015-06-09:    Vendor Notification (Apple)
2015-06-29:    Vendor Response/Feedback (Apple)
2015-**-**:    Vendor Fix/Patch Notification (Apple)
2015-07-22:    Public Disclosure (Vulnerability Laboratory)



Magazine Article:


Reference(s): English,critical-vulnerability-found-in-app...

Reference(s): International





Reference(s): German

Rate this article: 
Average: 4.3 (11 votes)


Nice one Ben

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.