XSS Exploit found on Apple iTunes site… again

Nov 18, 2009 - 2 Comments

xss apple login

Update: Apple has fixed the exploit, the below link is preserved for posterity but no longer works to display anything abnormal.

A few weeks ago, there was an active XSS Exploit on Apple.com with their iTunes site. Well, a tipster sent us the exact same cross site scripting exploit found again on the Apple iTunes site (UK in this case). As a result, there are some rather amusing variations of the Apple iTunes page appearing, and again some very frightening ones, as the above screenshot demonstrates a login page that accepts username and password information, stores this login data on a foreign server, then sends you back to Apple.com. The most annoying variation sent to us tried to stuff about 100 cookies onto my machine, initiated an endless loop of javascript pop-ups with Flash files embedded in each of them, and iframed about 20 other iframes, all while playing some really awful music.

Here’s a relatively harmless variation of the XSS capable URL, it iframes Google.com:


It doesn’t take much effort to do your own version. Anyway, let’s hope Apple fixes this quick.

Attached are a few more screenshots of links sent in by tipster “WhaleNinja” (great name by the way)

apple xss hack
apple xss 2

apple xss 3


Related articles:

Posted by: Bill Ellis in Apple.com, Security


» Comments RSS Feed

  1. C says:

    i thought mac was suposed 2 be safe??? lol

  2. Douglas says:

    After playing around a bit, I was able to manipulate the above URL with an iframe that forces a download of an .exe file, fun!

Leave a Reply


Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks


iPhone / iPad



Shop on Amazon to help support this site