There is a cross-site scripting vulnerability in the Apple Store Web site that is exposing visitors to potential attack. The vulnerability was discovered by a German security researcher who says he informed Apple about the problem in mid-May, but the vulnerability still exists.
The XSS vulnerability lies in store.apple.com, and the researchers, Stefan Schurtz, said he has tested it on several browser versions, including Internet Explorer 8 and 10, as well as Google Chrome 27. Schurtz provided proof-of-concept exploit code for the vulnerability in his advisory, which he posted on the Full Disclosure mailing list.
Schurtz said he contacted Apple about the XSS vulnerability on May 12 and the vendor responded within a day. He then contacted Apple a second time on May 29 with a question about the status of the advisory, again receiving a response later that same day. However, Schurtz decided to release the advisory on June 7 after four weeks without a resolution for the vulnerability.
Schurtz said that the bug is a DOM-based XSS vulnerability that affects visitors to the main Apple Store page. This kind of vulnerability involves a modification to the environment of the victim’s browser. Many other XSS exploits involve modifying the response from the Web server to exploit the vulnerability.
