Apple Patches Remote ‘Invoice Vulnerability’ in iTunes, App Store

Apple recently patched a serious issue in its App Store and iTunes Store web apps that could have let a remote attacker inject their own malicious script code into invoices that come from Apple.

Apple recently patched a serious issue in its App Store and iTunes Store web app that could have let a remote attacker inject malicious script into invoices that come from Apple and subsequently lead to session hijacking, phishing, and redirect.

The vulnerability was unearthed in June by Benjamin Kunz Mejri, a researcher with Vulnerability Lab, and reported to the Cupertino conglomerate. Apple did not reply to a request for comment prior to publication.

Mejri, who claims the bug “demonstrates a significant risk to buyers, sellers or Apple website managers/developers,” on Monday published details about the bug, along with a proof of concept.

Mejri couldn’t reveal exactly when Apple addressed the issue but the company’s most recent update to iTunes — which came alongside Apple Music – was deployed on June 30, suggesting Apple may have fixed the issue within the month.

The issue, an application-side input validation web vulnerability, is apparently tied to the fact that when it comes to purchase invoices, Apple uses the name of users’ devices – something that attackers can manipulate via script code. User device names are usually arbitrary, but, according to Mejri, the App Store and iTunes takes that device value and encodes it with the wrong conditions.

This means that if an attacker were to put their code through Apple’s invoicing system, it would result in application-side script code execution. After a purchase from either the App Store or iTunes, the invoice gets sent to the target’s email and triggers the malicious code.

“Remote attackers can manipulate the bug by interaction via persistent manipulated context to other Apple store user accounts,” Mejri elaborated on Monday, “The vulnerability can be exploited by remote attackers and the malicious receiver/sender email is *”

In addition to session hijacking, phishing and redirect, an attacker could also carry out “persistent manipulation of affected or connected service module context,” Mejri warns.

Suggested articles