Security researcher Benjamin Kunz Mejri from Vulnerability Lab revealed the persistent injection flaw on his website and said that the vulnerability allows remote attackers to inject malicious script codes into flawed content function and service modules. The vulnerability has been deemed critical and assigned CVSS 5.8 severity rating. It is basically a Application-Side input validation web vulnerability that actually resides in the Apple App Store invoice module and is remotely exploitable by both sender as well as the receiver. According to Mejri, an attacker can exploit the flaw by manipulating a name value (device cell name) within the invoice module through an exchange of malicious specially scripted code. If a product is purchased in Apple’s stores, the backend takes the device value and encodes it with manipulated conditions in order to generate an invoice before sending it on to the seller. This results in an Application-side script code execution in the invoice of Apple. The exploit can be used to hijack user sessions, launch persistent phishing attacks, create persistent redirects to external sources and manipulate affected or connected service modules.
Proof of Concept :
A video showing a proof-of-concept (PoC) demo is shown below with step by step.
Mejri notified the Apple about the vulnerability on 8th June and has not revealed the date on which the exploit has been patched by Apple . The disclosure timeline is below.
2015-06-08: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2015-06-09: Vendor Notification (Apple Product Security Team) 2015--: Vendor Response/Feedback (Apple Product Security Team) 2015--: Vendor Fix/Patch Notification (Apple Developer Team) 2015-07-27: Public Disclosure (Vulnerability Laboratory)
Apple has not yet commented on the issue.