How A Bug Hunter Forced Apple to Completely Remove A Newly Launched Feature

January 20, 2017

Recently Apple released a new Feature for iPhone and iPad users, but it was so buggy that the company had no option other than rolling back the feature completely.

In November, Apple introduced a new App Store feature, dubbed “Notify” button — a bright orange button that users can click if they want to be alerted via iCloud Mail when any game or app becomes available on the App Store.

Vulnerability Lab’s Benjamin Kunz Mejri discovered multiple vulnerabilities in iTunes’s Notify feature and iCloud mail, which could allow an attacker to infect other Apple users with malware.

“Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of affected or connected service module context,” Mejri wrote in an advisory published Monday.

Here’s How the Attack Works?

The attack involves exploitation of three vulnerabilities via iTunes and the App Store’s iOS Notify function.

When you click on notify feature for any unreleased app, the function automatically retrieves information from your device, including your devicename value and primary iCloud email id, to alert you when the soon-to-launch app debuts.

However, this devicename parameter is vulnerable to persistent input validation flaw, which allows an attacker to insert malicious javascript payload into the devicename field that would get executed on the victim’s device in the result after successful exploitation.

Moreover, the remote attacker can even set the victim’s iCloud email as his/her primary email address, without any confirmation from the victim’s side, and that’s where the second flaw resides.

Read full story