Expert of Vulnerability Lab Benjamin Kunz interre- found dangerous vulnerability in the system of issuing invoices in the App Store and iTunes, operation of which can lead to session hijacking and manipulation of invoices, reports Securitylab. The flaw occurs because of incorrect test data input on the side of the application and allows you to remotely inject malicious code into a vulnerable function and service modules.
According interre-, an attacker could exploit the vulnerability by manipulating the value of the name (the name under which the product is sold) in the invoice module by changing to the malicious code. When you purchase goods at Apple stores server application encodes the value of its name, under certain conditions, in order to generate an invoice before sending the seller. This vulnerability could allow remote code execution on the side of the application.
Since the invoice is not for the seller and the buyer, and those and others, as well as developers and operators of the site are at risk, sure interre-. Attackers can exploit the vulnerability to intercept sessions, phishing attacks, redirection to third-party sources, and manipulation of the vulnerable or connecting service modules.
The researchers presented a video showing operation gap, and published detailed instructions.
According interre-, an attacker could exploit the vulnerability by manipulating the value of the name (the name under which the product is sold) in the invoice module by changing to the malicious code. When you purchase goods at Apple stores server application encodes the value of its name, under certain conditions, in order to generate an invoice before sending the seller. This vulnerability could allow remote code execution on the side of the application.
Since the invoice is not for the seller and the buyer, and those and others, as well as developers and operators of the site are at risk, sure interre-. Attackers can exploit the vulnerability to intercept sessions, phishing attacks, redirection to third-party sources, and manipulation of the vulnerable or connecting service modules.
The researchers presented a video showing operation gap, and published detailed instructions.
No comments:
Post a Comment