XSS Exploit found on Apple iTunes site… again

Nov 18, 2009 - 2 Comments

xss apple login

Update: Apple has fixed the exploit, the below link is preserved for posterity but no longer works to display anything abnormal.

A few weeks ago, there was an active XSS Exploit on Apple.com with their iTunes site. Well, a tipster sent us the exact same cross site scripting exploit found again on the Apple iTunes site (UK in this case). As a result, there are some rather amusing variations of the Apple iTunes page appearing, and again some very frightening ones, as the above screenshot demonstrates a login page that accepts username and password information, stores this login data on a foreign server, then sends you back to Apple.com. The most annoying variation sent to us tried to stuff about 100 cookies onto my machine, initiated an endless loop of javascript pop-ups with Flash files embedded in each of them, and iframed about 20 other iframes, all while playing some really awful music.

Here’s a relatively harmless variation of the XSS capable URL, it iframes Google.com:

http://www.apple.com/uk/itunes/affiliates/download/?artistName=Apple%20%3Cbr/%3E%20%3Ciframe%20src=http%3A//www.google.com/%20width=600%20height=200%3E%3C/iframe%3E&thumbnailUrl=http%3A//images.apple.com/home/images/promo_mac_ads_20091022.jpg&itmsUrl=http%3A%2F%2Fitunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewAlbum%3Fid%3D330407877%26s%3D143444%26ign-mscache%3D1&albumName=a%20wide-open%20HTML%20injection%20hole

It doesn’t take much effort to do your own version. Anyway, let’s hope Apple fixes this quick.

Attached are a few more screenshots of links sent in by tipster “WhaleNinja” (great name by the way)

apple xss hack
apple xss 2

apple xss 3

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: Bill Ellis in Apple.com, Security

2 Comments

» Comments RSS Feed

  1. Douglas says:

    After playing around a bit, I was able to manipulate the above URL with an iframe that forces a download of an .exe file, fun!

  2. C says:

    i thought mac was suposed 2 be safe??? lol

Leave a Reply

 

Shop for Apple & Mac Deals on Amazon.com

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates