http://www.wired.com/news/privacy/0,1848,58718,00.html By Brian McWilliams May. 05, 2003 Apple Computer said it fixed a security flaw at its online store late last week that could have enabled attackers to hijack customers' accounts and place fraudulent orders. The flaw, discovered by an anonymous Canadian security researcher who uses the nickname "Null," potentially allowed malicious users to change Apple Store customers' passwords and gain control of the victims' account data. Information stored by Apple includes customers' names, mailing addresses, telephone numbers, order histories and credit card information. To steal an Apple Store customer's account, a malicious user merely needed to know the victim's e-mail address. Once in control of an account, an attacker potentially could have ordered computer products from the store or downloaded music from Apple's new iTunes Music Store using the victim's credit card number on file. An intruder would not, however, have been able to retrieve the complete credit card number and use it outside of the Apple Store. Apple representatives said the company corrected the problem Friday, but declined to provide details of the fix. Spokesman Bill Evans said Apple does not believe any customers were affected by the vulnerability. "We take all reports of security vulnerabilities seriously, and we create a fix as soon as possible. We've had a track record of being able to respond quickly," said Evans. After being contacted by Null last Wednesday and easily confirming his discovery using a test account, Wired News notified Apple of the problem. Null said he discovered the vulnerability at Apple.com using the "view source" option in his Web browser while visiting a section of the online store designed to help people who have forgotten their passwords. After submitting his e-mail address, as requested by the system, Null said he noticed that Apple was hiding a string of letters and numbers in the source code to one of the pages designed to confirm users' identities. By cutting and pasting that "hash" into a separate page for specifying the new password, Null was able to change his password without answering the secret question used to authenticate him. Last year, Null identified a similar password security problem at the eBay website. While Apple is renowned for the elegant design of its products, even the best software engineers often do not anticipate that users will try hard to break their software, according to Bruce Schneier, chief technology officer for Counterpane Internet Security. "Security is different than other kinds of engineering," said Schneier. "Engineering is about making things work. Security is about making sure things don't fail badly. You have to assume a malicious adversary." Null said attackers who commandeered an Apple Store customer's account could specify that products be shipped to a "drop spot" location using the victim's credit card. When a password change is submitted to the Apple Store site, the account holder receives an e-mail notification. Such a notice could alert a victim of an account hijack, but the user would be unable to log in to the account. Besides providing access to an array of computer hardware and software for sale, Apple's log-in system authenticates customers of the iTunes store, which sells downloadable music tracks for 99 cents each. The programming error could have enabled malicious users to download music at the victim's expense, Null said. Apple's Mac.com online publishing service uses a similar system for resetting forgotten passwords, but Null said the service did not appear to be vulnerable to the cut-and-paste exploit. Apple had no immediate information about whether the vulnerability lies in the company's WebObjects software used at the store, or whether it would affect third-party sites running the software. - ISN is currently hosted by Attrition.org To unsubscribe email firstname.lastname@example.org with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue May 06 2003 - 00:18:24 PDT