Wednesday, 29 July 2015

App Store And iTunes Exposed Significant Vulnerabilities: Relates To System Security

Security experts recently discovered a major flaw in Apple's iTunes App Store and invoice systems. An attacker who exploited this vulnerability could hijack sessions, the malicious manipulation of the invoice. Vulnerability Lab's security researcher Benjamin Kunz Mejri announced its discovery of this vulnerability this week. The major drawback is that the injection-side input validation web application vulnerabilities. The security researcher said in the announcement, can contribute to the flawed content features and services modules inject malicious script code through this vulnerability a remote attacker.

Mejri introduction represents an attacker could exploit the vulnerability approach is to replace the malicious script code to control the value of the invoice module name. If the device is in the Apple store to buy, the backend will use the name value to add coding control condition, which can generate an invoice before the invoice is sent to the seller. The consequences of this will lead to is to have the application side scripting code execution Apple invoice. The severity rating of the vulnerability is CVSS 5.8 (universal vulnerability rating system).

In addition the network attacker can also interact with other Apple applications store account users to control this vulnerability by continuing operating environment, irrespective of the user is the sender or recipient will not affect them take advantage of this loophole. The security researcher said invoice is available to sellers and buyers of both sides, this will give the buyer, the seller or the Apple web administrators / developers to bring great risk.

An attacker can also exploit this vulnerability to hijack user sessions, constantly launch phishing attacks, create links to external resources redirected lasting, influence or manipulation is connected to the service module.

After Mejri found the vulnerability in June 8 was the notification and coordination, then it would be for Apple's product security team issued a notice supplier, Apple after notification responded and feedback, Apple Developer Group provides repair After notice vulnerability, Vulnerability Laboratory was recently disclosed that they discovered this vulnerability.

Earlier this month, Apple's new version of iOS and OS X operating system, the existence of many security vulnerabilities were patched. In a security bulletin, Apple said they released the iOS 8.4 contains 20 multiple patches, the existence of remote code execution, the application terminates, encrypted traffic interception and other issues were corrected.

In these updates, the one called "Logjam" defects has been resolved. It is used in the Diffie-Hellman key exchange algorithm encryption vulnerabilities, the technology is widely used to share key and create a secure communication channel in the Internet protocol. That could allow hundreds of thousands of websites and servers using HTTPS exposed to the risk of theft and traffic is intercepted, and thus may be subject to-middle attack.

At least one of these issues will have a direct impact on Apple Watch. The problem exists in the application installation link, malicious applications can exploit the vulnerability Watch prevent application launch.

Proof of Concept

No comments:

Post a Comment