Apple.com XSS Exploit found on iTunes site

Nov 3, 2009 - 8 Comments

osxdaily apple

Update: Apple has fixed the exploit!

I imagine this will get fixed relatively quickly, but you can do some funny (and potentially scary) things with Apple.com’s iTunes Affiliate sites just by modifying the URL parameters. The modified Apple.com URL is formed as follows:
http://www.apple.com/itunes/affiliates/download/?artistName=OSXDaily.com&thumbnailUrl=http://cdn.osxdaily.com/wp-content/themes/osxdaily-leftalign/img/osxdailylogo2.jpg&itmsUrl=http://www.osxdaily.com&albumName=Best+Mac+Blog+Ever

Click here for the OSXDaily.com version of the XSS exploit on Apple.com – it is safe, it just displays what’s in the above screenshot.

You can put whatever you want in the URL by changing the text and image links, which has led to some extremely funny hacked versions of Apple’s iTunes website. Other users have further modified the URL to be able to include other webpages, javascripts, and flash content via iFrames of other sites, which opens the door for all sorts of problems. At this point it’s only funny because nobody has used it for nefarious purposes, but if the hole is open for too long don’t be surprised if someone does. OS X Daily reader Mark sent this tip in with a modified link that opened a series of popup windows and had an iframe displaying less than savory content, displayed under the apparent (although hacked) Apple.com branding, and that is exactly the kind of thing that needs to be avoided. Let’s hope Apple fixes this quickly.

Here are some more screenshots showing what the URL modification in action, preserved for posterity:

windows7 apple

Here’s one taking the Windows 7 joke even further by inserting an iframe with the Microsoft site into the content:
iframe apple

[ Reader submission found via Reddit: Apple XSS Exploit - Thanks Mark! ]

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: Bill Ellis in Apple.com, Security

8 Comments

» Comments RSS Feed

  1. HolyMoly says:

    I don’t think this is true XSS Exploit because it is sanitized, however I was able to force multiple downloads without confirmation to several machines by inserting an iframe with a direct download link, that is just too easy. I can also replicate the endless popups you described and you have to kill the browser to escape the loop.

    Someone is getting fired!

  2. [...] friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a [...]

  3. [...] friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a [...]

  4. [...] under: Hacks, iTunes, AppleOur friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a [...]

  5. [...] friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a [...]

  6. [...] friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a [...]

  7. [...] few weeks ago, there was an active XSS Exploit on Apple.com with their iTunes site. Well, a tipster sent us the exact same cross site scripting exploit that [...]

Leave a Reply

 

Shop for Apple & Mac Deals on Amazon.com

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates