Wednesday, July 29, 2015

App Store Invoice JavaScript Injection

Darren Pauli (via Ole Begemann):

“After we received no serious reply, we released the data,” Mejri told El Reg in an email. Apple did not respond to a request for comment, and it’s not clear if the vulnerability has been addressed.

In a nuthsell, the bug works like this: you change the name of your iThing to include JavaScript code, then download or purchase an app from either the Mac or iTunes stores. Apple's systems generate an invoice, and email it to you and make a copy available online from your store account.

That JavaScript code stashed in your device name will be embedded in the invoice, so opening it in a browser will execute it, allowing it to attempt to do bad things like hijack your Apple account. Sellers and Apple staff viewing a copy of the invoice will also get attacked.

1 Comment RSS · Twitter

Funniest horrible malware attack vector EVAR.

Leave a Comment