The Apple Notify flaw: How does it allow malicious script injection?

Flaws in the Apple Notify function and iTunes can enable attackers to inject malicious script into the application side. Expert Michael Cobb explains how these vulnerabilities work.

Vulnerability Lab researchers found two flaws in Apple's iTunes and App Store that attackers could use to inject malicious script into the application side of the services. The flaws can be exploited through Apple's new Notify function, which gathers information from devices and alerts users when an application has debuted. How do these vulnerabilities work? What can Apple users do to secure their devices?

Software vendors are constantly adding new features to their products in order to drive sales and keep existing customers. Like with any change to a program's functionality, new pieces of code should be rigorously tested for logic flaws and potential vulnerabilities before its public release. Software developers should be able to avoid repeating past coding errors if there is a proper lessons learned element to the software development lifecycle.

Unfortunately, the Apple Notify function for iOS version 10.2 devices contained similar flaws to those previously discovered in Apple's invoice management system (Apple Security ID 623920272). Although the flaws were not easily exploitable, Apple was forced to disable the Notify function.

In 2015, security researcher Benjamin Kunz Mejri discovered a vulnerability within Apple's App Store and the iTunes invoice management system that enabled him to inject malicious code into an invoice document. Mejri later found a similar exploitation scenario in the Apple Notify function. The function was meant for users who wanted to be alerted when a new app became available. An email would be sent to the user's device when the selected title went live on the App Store. Mejri verified his exploit worked when Apple sent out its first notification for the new Super Mario Run app on Dec. 15, 2016.

The vulnerability leverages various flaws in the iTunes application and the App Store's iOS Notify function to enable a remote attacker to inject malicious script into the email from Notify.

When a user clicks on the Apple Notify feature for an unreleased app, the function automatically retrieves information from their device, including the device name value and the primary iCloud email ID. However, the value stored in the device name parameter is not validated or cleansed, resulting in a persistent input validation flaw. This means an attacker can enter a malicious JavaScript payload into the device name field and it won't be rejected when it's stored or merged into Notify's email HTML template.

Moreover, the remote attacker can set the victim's iCloud email as their primary email address without any confirmation from the victim. When Apple sends the Notify email, it would go to the user's primary email and include the malicious payload inserted by the attacker into the device name field. The payload would execute because Apple's email client also fails to scan the content of emails.

This series of vulnerabilities provides several options for an attacker to further compromise the device and the user, such as session hijacking, persistent phishing attacks and persistent redirects to attacker-controlled sites. Until Apple releases a fix for all three vulnerabilities, users should not use the Apple Notify function.

Next Steps

Find out why QuickTime for Windows was suddenly moved to end of life by Apple

Learn how a pirated app beat Apple's App Store security review

Discover how iOS 10 security checks enable decryption of local backups

Dig Deeper on Threats and vulnerabilities