App Store

An invoice bug in Apple’s stores: a big trouble that passed by

Apple patched a serious issue in its App Store and iTunes Store, which could have undermined many of the businesses working in this ecosystem.

Yuri Ilyin
August 6, 2015

Apple patched a serious issue in its App Store and iTunes Store, which could have undermined many of the businesses working in this ecosystem. A remote attacker could inject malicious script into invoices that came from Apple, which would subsequently lead to session hijacking, phishing, and redirect.

An invoice bug in Apple’s stores: a big trouble that passed by #security
Tweet

The information about the vulnerability became public late in July, while Apple had apparently patched the flaw a month prior – so the flaw isn’t there anymore.

The issue, an application-side input validation web vulnerability, was tied to the fact that when it comes to purchase invoices, Apple uses the name of users’ devices. According to Threatpost’s publication, it is something that attackers can manipulate via script code. User device names are usually arbitrary, but according to the security expert who discovered the bug, the App Store and iTunes take that device value and encodes it “with the wrong conditions.”

This means if an attacker were to put their code through Apple’s invoicing system, it would result in an application-side script code execution. After a purchase from either the App Store or iTunes, the invoice gets sent to the target’s email and triggers the malicious code.

Severity level of this vulnerability is (was) considered high. Aside from the proof of concept, there are no reports of actual exploitation of the flaw, which is definitely good news.

In general, Apple’s software and its stores have a good reputation, security-wise. The company invests a lot of effort in security, even though hiccups do occur, albeit quite rarely.

Blind confidence is not good – especially with #cybersecurity
Tweet

That’s why the revelation of this bug is especially noteworthy. The possible attack would put at risk many businesses and individuals, who have become comfortable in assuming nothing perilous comes from Apple’s software and media stores. However, this particular bug shows that its infrastructure is not necessarily impeccable.

https://business.kaspersky.com/android-financial-attacks-and-current-security-status/3901

This is a wide-scale problem, not limited to Apple’s stores (cybercriminals would rather choose other systems than Apple’s platforms). So it is highly recommended to stay alert – always – and keep security solutions active constantly.

#kaSPAssion24: 24 hours of Spa race

History, tradition, passion and belonging to the world of motorsport. The 24 hours of SPA was all that and so much more

Privacy & Kids

TARGETED SECURITY SOLUTIONS

Industries

An invoice bug in Apple’s stores: a big trouble that passed by

An unusual method of stealing data from surveillance cameras

Residential proxies: understanding the risks for organizations

#kaSPAssion24: 24 hours of Spa race

Tips

Advertisers sharing data about you with… intelligence agencies

Watch the (verified) birdie, or new ways to recognize fakes

Switching to Kaspersky: a step-by-step migration guide

Is it the boss – or is it a fraudster? Scams disguised as urgent orders from top brass

Sign up to receive our headlines in your inbox

Home Products

Small Business Products

Medium Business Products

Enterprise Solutions

Securelist

Eugene Personal Blog

Encyclopedia