XSS Exploit found on Apple iTunes site… again

Update: Apple has fixed the exploit, the below link is preserved for posterity but no longer works to display anything abnormal.

A few weeks ago, there was an active XSS Exploit on Apple.com with their iTunes site. Well, a tipster sent us the exact same cross site scripting exploit found again on the Apple iTunes site (UK in this case). As a result, there are some rather amusing variations of the Apple iTunes page appearing, and again some very frightening ones, as the above screenshot demonstrates a login page that accepts username and password information, stores this login data on a foreign server, then sends you back to Apple.com. The most annoying variation sent to us tried to stuff about 100 cookies onto my machine, initiated an endless loop of javascript pop-ups with Flash files embedded in each of them, and iframed about 20 other iframes, all while playing some really awful music.

Here’s a relatively harmless variation of the XSS capable URL, it iframes Google.com:

http://www.apple.com/uk/itunes/affiliates/download/?artistName=Apple%20%3Cbr/%3E%20%3Ciframe%20src=http%3A//www.google.com/%20width=600%20height=200%3E%3C/iframe%3E&thumbnailUrl=http%3A//images.apple.com/home/images/promo_mac_ads_20091022.jpg&itmsUrl=http%3A%2F%2Fitunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewAlbum%3Fid%3D330407877%26s%3D143444%26ign-mscache%3D1&albumName=a%20wide-open%20HTML%20injection%20hole

It doesn’t take much effort to do your own version. Anyway, let’s hope Apple fixes this quick.

Attached are a few more screenshots of links sent in by tipster “WhaleNinja” (great name by the way)