Apple Fails To Act On Store Vulnerability Warnings

Apple was told about a cross-site scripting vulnerability on its website a month ago but the flaw remains resident on the site, according to a German security researcher.

Stefan Schurtz wrote on the Full Disclosure mailing list on Seclists.org he had tested exploits on store.apple.com using Internet Explorer 8, Internet Explorer 10 and Google Chrome 27. He claimed he told Apple via email on 12 May, receiving feedback the following day.

After weeks of inaction, Schurtz went public with the vulnerability. Apple has not responded to TechWeekEurope requests for comment.

Apple XSS vulnerability

XSS attacks typically see a crook send their victim a link to a vulnerable site. The link has them enter JavaScript code into a form, such as a search box, but the link is tweaked so that the website sends information – such as cookies – to the hacker’s own domain, instead of to the user’s PC.

In such cases, the attack payload is placed in a response page thanks to a server side vulnerability.

But the Apple proof-of-concept attack is Document Object Model (DOM) based, attempting to get client-side code to run in an unexpected way, typically by sending URLs containing malicious JavaScript code. The ultimate aim is to have the victim’s browser run the attackers’ code, which could lead to cookies being leaked and accounts hijacked.

Such an attack would require the user to be logged in. An example of how one would be executed can be found here.

Apple has been criticised for its security efforts in the past. It was slammed for not reacting quicker to close of the Flashback malware threat, and some want it to set up a proper bug bounty programme, akin to what Google, Facebook and others do.

That would encourage more researchers to notify Apple of flaws, but some aren’t convinced the iPhone maker would ever institute such a programme.

“Many other companies would pay you to find bugs like these and fix them almost on the spot,” Troy Hunt,  software architect and Microsoft Most Valuable Professional for developer security, told TechWeek.

A bug bounty initiative “would be much more consistent with the likes of Google and eBay but very inconsistent with the ethos of Apple secrecy,” Hunt added.

“I’ve been ranting a bit about disclosure myself lately, it can be very hard to get an organisation to take notice of something that’s in their own best interest.”

What do you know about Internet security? Find out with our quiz!