Number: IRCNE2015072582
Date: 2015/07/28
According to “cnet”, a critical flaw has been discovered in Apple's App Store and iTunes invoice system which could result in session hijacking and malicious invoice manipulation.
Revealed this week by security researcher Benjamin Kunz Mejri from Vulnerability Lab, the persistent injection flaw, deemed critical, is an application-side input validation web vulnerability. In an advisory, the researcher said the vulnerability allows remote attackers to inject malicious script codes into flawed content function and service modules.
According to Mejri, an attacker can exploit the flaw by manipulating a name value (device cell name) within the invoice module through an exchange of malicious, scripted code. If a product is purchased in Apple's stores, the backend takes the device value and encodes it with manipulated conditions in order to generate an invoice before sending it on to the seller.
The exploit can be used to hijack user sessions, launch persistent phishing attacks, create persistent redirects to external sources and manipulate affected or connected service modules.
- 6