
Apple.com XSS attack - NathanKP
http://i.imgur.com/OfdDC.png
======
benhoyt
As I mentioned on proggit, that URL doesn't actually demonstrate cross-site
_scripting_ , but it looks like the page is vulnerable to iframe and scripting
insertion too. Example:

    
    
       http://www.apple.com/itunes/affiliates/download/?artistName=<iframe+id%3D"frame"+src%3D"http://www.microsoft.com/"+style%3D"width:+600px;+height:+400px;"></iframe>&thumbnailUrl=http://www.straitstimes.com/STI/STIMEDIA/image/20090501/windows7-microsoft.jpg&itmsUrl=http://www.microsoft.com&albumName=Better+Operating+System

~~~
NathanKP
That is really bad. If you can insert code then you can probably do other even
worse things.

~~~
axod
Probably steal session cookies, then hijack sessions and grab any personal
data etc :/ Not good.

~~~
NathanKP
Someone could make an iframe with what looked like the Apple login and trick
people into "logging in". Then they distribute the URL via shortened URLs
through Twitter and grab a bunch of Apple logins.

Free iTunes until you get caught. Chances are Apple would be able to track who
downloaded what onto what Apple devices. I'm sure retribution would be swift
and thorough.

In my opinion that does count as an XSS attack, though it perhaps does not use
the traditional techniques. (This for those who have said that this is
actually not an XSS attack.)

------
NathanKP
Apple promotes Ubuntu Linux:

[http://www.apple.com/itunes/affiliates/download/?artistName=...](http://www.apple.com/itunes/affiliates/download/?artistName=the+Open+Source+community&thumbnailUrl=http://i210.photobucket.com/albums/bb99/Cyndaquil-
Thrill/ubuntu-
logo.png&itmsUrl=http://www.ubuntu.com&albumName=something+other+than+Mac+OS+X)

------
johndevor
I think Apple fixed it?

~~~
NathanKP
It looks like they just removed the functionality. So it is fixed for now. It
was fun while it lasted. ;)

~~~
incomethax
Anyone have a screenshot? I seem to have missed all the fun.

~~~
borism
<http://i.imgur.com/OfdDC.png>

------
geuis
[http://www.apple.com/itunes/affiliates/download/?artistName=...](http://www.apple.com/itunes/affiliates/download/?artistName=LITTLEST+PET+SHOP+online&thumbnailUrl=http://www.lpso.com/images/logo.png&itmsUrl=http://www.lpso.com&albumName=an+exciting+all-
new+world+for+you,+your+friends+and+your+favorite+pets+to+play)

------
adrinavarro
It looks like the "XSS" bug is mostly client-side, I think that the GET
contents are presented using JS: <http://grab.by/exu> (that's with the given
URL).

It doesn't allows any kind of <script> tag, so yeah, it's fun and a bit
insecure (may be used for phishing?? dunno), but it's not the worst at all.

~~~
willwagner
It allows you to put javascript in a click handler:

[http://www.apple.com/itunes/affiliates/download/?artistName=...](http://www.apple.com/itunes/affiliates/download/?artistName=%3Cimg%20src=%22http://cheapestblog.info/wp-
content/uploads/2009/06/click-
me.jpg%22%20onclick=%22alert%28%27hello%20world%27%29;%22/%3E)

~~~
adrinavarro
I was wrong, you're right! Now that's medium-insecure. But still not to panic
at this, just XSS and client-side (everything is inserted by JS). Well, there
are worst things, right? :)

~~~
chrisbroadfoot
"just" XSS?

------
makecheck
Pretty much anything works; such as this. :)

[http://www.apple.com/itunes/affiliates/download/?artistName=...](http://www.apple.com/itunes/affiliates/download/?artistName=love)

~~~
NathanKP
Yep you can do just about anything that you want.

[http://www.apple.com/itunes/affiliates/download/?artistName=...](http://www.apple.com/itunes/affiliates/download/?artistName=the%20meaning%20of%20life)

I'm sure that when Apple finds this they'll close the gap pretty fast though.

~~~
martian
Looks like they already did. For Posterity, here's a screenshot:

<http://visualmotive.com/etc/apple_xss.png>

------
white_eskimo
still works. Jeez that is pretty bad. How does one go about reporting
something like this? Wonder how long it will take to fix...

~~~
weaksauce
They have a bug reporting mechanism for people who are ADC(free) members or
iPhone developers: <http://www.devworld.apple.com/bugreporter/>

------
gurraman
Looks like they fixed the glitch.

~~~
NathanKP
No they haven't, not as of yet.

~~~
gurraman
You are absolutely right. Sorry about the false alarm.

Seems like it doesn't work in latest WebKit?

~~~
NathanKP
That is a possibility.

------
1234
tiiiu

------
0wned
Complexity kills. Rich Internet Apps will kill all operating systems... except
for OpenBSD.

~~~
NathanKP
Why will OpenBSD be immune?

~~~
0wned
Because it does not try to keep up with the fast-paced, complex flaws of Rich
Internet Apps written by people who have no knowledge of information security
and are only interested in getting attention for themselves and their shitty
start-up.

~~~
jrockway
Hate to say it, but Firefox on OpenBSD is as vulnerable to this bug as any
other browser. Of course, I doubt OpenBSD users have iTunes accounts...

~~~
tedunangst
I have an iTunes account.

