Another slow response from Apple’s security team?
Apple was told about a cross-site scripting vulnerability on its website a month ago but the flaw remains resident on the site, according to a German security researcher.
Stefan Schurtz wrote on the Full Disclosure mailing list on Seclists.org he had tested exploits on store.apple.com using Internet Explorer 8, Internet Explorer 10 and Google Chrome 27. He claimed he told Apple via email on 12 May, receiving feedback the following day.
After weeks of inaction, Schurtz went public with the vulnerability. Apple has not responded to TechWeekEurope requests for comment.
In such cases, the attack payload is placed in a response page thanks to a server side vulnerability.
Such an attack would require the user to be logged in. An example of how one would be executed can be found here.
Apple has been criticised for its security efforts in the past. It was slammed for not reacting quicker to close of the Flashback malware threat, and some want it to set up a proper bug bounty programme, akin to what Google, Facebook and others do.
That would encourage more researchers to notify Apple of flaws, but some aren’t convinced the iPhone maker would ever institute such a programme.
“Many other companies would pay you to find bugs like these and fix them almost on the spot,” Troy Hunt, software architect and Microsoft Most Valuable Professional for developer security, told TechWeek.
A bug bounty initiative “would be much more consistent with the likes of Google and eBay but very inconsistent with the ethos of Apple secrecy,” Hunt added.
“I’ve been ranting a bit about disclosure myself lately, it can be very hard to get an organisation to take notice of something that’s in their own best interest.”
What do you know about Internet security? Find out with our quiz!