Apple.com XSS Exploit found on iTunes site

Update: Apple has fixed the exploit!

I imagine this will get fixed relatively quickly, but you can do some funny (and potentially scary) things with Apple.com’s iTunes Affiliate sites just by modifying the URL parameters. The modified Apple.com URL is formed as follows:
http://www.apple.com/itunes/affiliates/download/?artistName=OSXDaily.com&thumbnailUrl=http://osxdaily.com/wp-content/themes/osxdaily-leftalign/img/osxdailylogo2.jpg&itmsUrl=http://www.osxdaily.com&albumName=Best+Mac+Blog+Ever

Click here for the OSXDaily.com version of the XSS exploit on Apple.com – it is safe, it just displays what’s in the above screenshot.

You can put whatever you want in the URL by changing the text and image links, which has led to some extremely funny hacked versions of Apple’s iTunes website. Other users have further modified the URL to be able to include other webpages, javascripts, and flash content via iFrames of other sites, which opens the door for all sorts of problems. At this point it’s only funny because nobody has used it for nefarious purposes, but if the hole is open for too long don’t be surprised if someone does. OS X Daily reader Mark sent this tip in with a modified link that opened a series of popup windows and had an iframe displaying less than savory content, displayed under the apparent (although hacked) Apple.com branding, and that is exactly the kind of thing that needs to be avoided. Let’s hope Apple fixes this quickly.

Here are some more screenshots showing what the URL modification in action, preserved for posterity:

Here’s one taking the Windows 7 joke even further by inserting an iframe with the Microsoft site into the content:

[ Reader submission found via Reddit: Apple XSS Exploit - Thanks Mark! ]