Vulnerability Lab founder Benjamin Kunz Mejri says he’s found a security bug in Apple’s Mac and iOS app stores that could be exploited to inject malicious JavaScript code into victims’ web browsers.
Mejri reported the “application-side input validation web vulnerability” to Apple in early June, and went public with details of the flaw on Monday this week after conversations with Apple’s security team petered out.
“After we received no serious reply, we released the data,” Mejri told El Reg in an email. Apple did not respond to a request for comment, and it’s not clear if the vulnerability has been addressed.
In a nuthsell, the bug works like this: you change the name of your iThing to include JavaScript code, then download or purchase an app from either the Mac or iTunes stores. Apple’s systems generate an invoice, and email it to you and make a copy available online from your store account.
That JavaScript code stashed in your device name will be embedded in the invoice, so opening it in a browser will execute it, allowing it to attempt to do bad things like hijack your Apple account. Sellers and Apple staff viewing a copy of the invoice will also get attacked.
view the full story here