Apple’s App Store and iTunes invoicing system has a major security hole that can be exploited by hackers to remotely inject their own malicious code into the application-side of the vulnerable context function or service module, security researcher Benjamin Kunz Mejri from Vulnerability Lab revealed earlier this week (via ZDNet).
Since the iTunes and App Stores take the device cell name of buyers, attackers can exploit the security flaw by manipulating a name value by an exchange of malicious, scripted code. If the user purchases a product from these online stores, the backend takes the device value and encodes it with manipulated conditions and generates an invoice before sending it to the seller.
The security flaw received a CVSS (Common Vulnerability Scoring System) 5.68 rating out of 10 (10 being the most severe).
Exploitation of the persistent input validation and mail encoding web vulnerability requires a low privilege apple (appstore/icloud) account and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of affected or connected service module context, Mejri writes.
The researcher has published a proof-of-concept video (inserted below) and step-by-step instructions to exploit the flaw. Apple was notified on June 8.