Apple.com XSS Exploit found on iTunes site

Nov 3, 2009 - 8 Comments

osxdaily apple

Update: Apple has fixed the exploit!

I imagine this will get fixed relatively quickly, but you can do some funny (and potentially scary) things with Apple.com’s iTunes Affiliate sites just by modifying the URL parameters. The modified Apple.com URL is formed as follows:
http://www.apple.com/itunes/affiliates/download/?artistName=OSXDaily.com&thumbnailUrl=https://cdn.osxdaily.com/wp-content/themes/osxdaily-leftalign/img/osxdailylogo2.jpg&itmsUrl=https://osxdaily.com&albumName=Best+Mac+Blog+Ever

Click here for the OSXDaily.com version of the XSS exploit on Apple.com – it is safe, it just displays what’s in the above screenshot.

You can put whatever you want in the URL by changing the text and image links, which has led to some extremely funny hacked versions of Apple’s iTunes website. Other users have further modified the URL to be able to include other webpages, javascripts, and flash content via iFrames of other sites, which opens the door for all sorts of problems. At this point it’s only funny because nobody has used it for nefarious purposes, but if the hole is open for too long don’t be surprised if someone does. OS X Daily reader Mark sent this tip in with a modified link that opened a series of popup windows and had an iframe displaying less than savory content, displayed under the apparent (although hacked) Apple.com branding, and that is exactly the kind of thing that needs to be avoided. Let’s hope Apple fixes this quickly.

Here are some more screenshots showing what the URL modification in action, preserved for posterity:

windows7 apple

Here’s one taking the Windows 7 joke even further by inserting an iframe with the Microsoft site into the content:
iframe apple

[ Reader submission found via Reddit: Apple XSS Exploit – Thanks Mark! ]

.

Related articles:

Posted by: Bill Ellis in Apple.com, Security

8 Comments

» Comments RSS Feed

  1. […] few weeks ago, there was an active XSS Exploit on Apple.com with their iTunes site. Well, a tipster sent us the exact same cross site scripting exploit that […]

  2. […] friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a […]

  3. […] friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a […]

  4. […] under: Hacks, iTunes, AppleOur friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a […]

  5. […] friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a […]

  6. […] friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a […]

  7. HolyMoly says:

    I don’t think this is true XSS Exploit because it is sanitized, however I was able to force multiple downloads without confirmation to several machines by inserting an iframe with a direct download link, that is just too easy. I can also replicate the endless popups you described and you have to kill the browser to escape the loop.

    Someone is getting fired!

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site