Apple Inc has fixed a serious remote vulnerability in its App Store and iTunes Store web app that posed a significant risk to buyers, sellers or Apple website managers/developers.
The flaw, which was first uncovered by a security researcher from Vulnerability Lab, Benjamin Kunz Merjri on June 8, could allow an attacker to inject malicious script into invoices that come from Apple and that lead to session hijacking, phishing, and redirect.
"The apple itunes and appstore is taking the device cell name of the buying users. Remote attackers can manipulate the name value by an exchange with script code (special chars). After that the attacker buys any article in the appstore or itunes-store." The security advisory reads.
"During that procedure the internal appstore service takes the device value and does encode it with wrong conditions. The seller account context runs since the error with the injected script code occurs and gets this way re-implemented to the invoice. Thus results in an application-side script code execution in the invoice of apple.
Researchers said the vulnerability can be exploited by remote attackers with low privilege web-application user account with low or medium user interaction.
Following the disclosure of the vulnerability, the company fixed the flaw.