Saturday, June 18, 2011

Disclosure: iTunes Store Authentication Vulnerability

Apple recently worked with AOL to fix a vulnerability that I discovered in the iTunes Store authentication process. Following is a press release that was just published by upSploit, the advisory management organization I selected to help coordinate with Apple:
On June 4th, 2011, upSploit Limited released a vulnerability for the iTunes Store, App Store and iTunes. This vulnerability seemed to be a problem in the way Apple integrated AOL usernames and passwords into its services.

Prior to this vulnerability being fixed, Apple would accept incorrect passwords from users logging into the store using an AOL Screen Name. Incomplete passwords, passwords with incorrect letter case, passwords with incorrect or extra characters at the end, or a combination of any or all of these, were accepted by Apple. Knowledge of this vulnerability could potentially have been used by attackers, leading to disclosure of personally identifiable information, identity theft, and fraudulent purchases.

The vulnerability took the whole 6 month disclosure time limit to be announced as Apple were at first unresponsive to the problem and then when they did respond were initially unable to reproduce it. The discoverer of the bug, Joshua Long, contacted them and helped them find the problem and they fixed it almost immediately.

Long had this to say about the process:

"When I discovered this security vulnerability last year, I felt that it was serious enough to warrant submitting it to a responsible third-party vulnerability management organization rather than only to Apple or AOL. I have submitted reports to both companies in the past, and I have found that sometimes it can take them a very long time to respond to a security issue. Case in point: AOL still doesn't seem to care about encrypting its Web-based e-mail service, in spite of Firesheep shining a spotlight on the problem last year. I hoped that bringing in a third party to work with the vendor would help encourage the vendor to take the issue seriously and fix it more quickly. I first approached a leading vulnerability management organization, but their policy was to not accept vulnerabilities in services. I had previously heard about upSploit on a security podcast and I decided to give the service a try. I liked that upSploit automatically and routinely reminds the vendor about the vulnerability and the date on which it will be disclosed to the public. I believe that upSploit's persistence was a major factor in motivating the vendor to take action and to resolve the issue."

Any credit for the vulnerability should be given to Joshua Long aka the JoshMeister. You can follow him on Twitter here - and can view his security blog here -

EDIT: Apple also acknowledged me at for reporting this issue.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

No comments:

Post a Comment

Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)