Apple.com XSS Exploit found on iTunes site
Update: Apple has fixed the exploit!
I imagine this will get fixed relatively quickly, but you can do some funny (and potentially scary) things with Apple.com’s iTunes Affiliate sites just by modifying the URL parameters. The modified Apple.com URL is formed as follows:
http://www.apple.com/itunes/affiliates/download/?artistName=OSXDaily.com&thumbnailUrl=https://cdn.osxdaily.com/wp-content/themes/osxdaily-leftalign/img/osxdailylogo2.jpg&itmsUrl=https://osxdaily.com&albumName=Best+Mac+Blog+Ever
Click here for the OSXDaily.com version of the XSS exploit on Apple.com – it is safe, it just displays what’s in the above screenshot.
You can put whatever you want in the URL by changing the text and image links, which has led to some extremely funny hacked versions of Apple’s iTunes website. Other users have further modified the URL to be able to include other webpages, javascripts, and flash content via iFrames of other sites, which opens the door for all sorts of problems. At this point it’s only funny because nobody has used it for nefarious purposes, but if the hole is open for too long don’t be surprised if someone does. OS X Daily reader Mark sent this tip in with a modified link that opened a series of popup windows and had an iframe displaying less than savory content, displayed under the apparent (although hacked) Apple.com branding, and that is exactly the kind of thing that needs to be avoided. Let’s hope Apple fixes this quickly.
Here are some more screenshots showing what the URL modification in action, preserved for posterity:
Here’s one taking the Windows 7 joke even further by inserting an iframe with the Microsoft site into the content:
[ Reader submission found via Reddit: Apple XSS Exploit – Thanks Mark! ]
[…] few weeks ago, there was an active XSS Exploit on Apple.com with their iTunes site. Well, a tipster sent us the exact same cross site scripting exploit that […]
[…] friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a […]
[…] friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a […]
[…] under: Hacks, iTunes, AppleOur friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a […]
[…] friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a […]
It is a true XSS exploit.
http://en.wikipedia.org/wiki/Cross-site_scripting
[…] friends over at OS X Daily passed along their story noting that Apple’s site for iTunes Affiliates was vulnerable to a […]
I don’t think this is true XSS Exploit because it is sanitized, however I was able to force multiple downloads without confirmation to several machines by inserting an iframe with a direct download link, that is just too easy. I can also replicate the endless popups you described and you have to kill the browser to escape the loop.
Someone is getting fired!