[ISN] Apple Squashes E-Store ID Bug

From: InfoSec News (isnat_private)
Date: Mon May 05 2003 - 22:23:02 PDT

  • Next message: InfoSec News: "[ISN] Free IIS Security Forensic Analysis E-Book"

    By Brian McWilliams 
    May. 05, 2003 
    Apple Computer said it fixed a security flaw at its online store late
    last week that could have enabled attackers to hijack customers'
    accounts and place fraudulent orders.
    The flaw, discovered by an anonymous Canadian security researcher who
    uses the nickname "Null," potentially allowed malicious users to
    change Apple Store customers' passwords and gain control of the
    victims' account data.
    Information stored by Apple includes customers' names, mailing
    addresses, telephone numbers, order histories and credit card
    To steal an Apple Store customer's account, a malicious user merely
    needed to know the victim's e-mail address.
    Once in control of an account, an attacker potentially could have
    ordered computer products from the store or downloaded music from
    Apple's new iTunes Music Store using the victim's credit card number
    on file.
    An intruder would not, however, have been able to retrieve the
    complete credit card number and use it outside of the Apple Store.
    Apple representatives said the company corrected the problem Friday,
    but declined to provide details of the fix. Spokesman Bill Evans said
    Apple does not believe any customers were affected by the
    "We take all reports of security vulnerabilities seriously, and we
    create a fix as soon as possible. We've had a track record of being
    able to respond quickly," said Evans.
    After being contacted by Null last Wednesday and easily confirming his
    discovery using a test account, Wired News notified Apple of the
    Null said he discovered the vulnerability at Apple.com using the "view
    source" option in his Web browser while visiting a section of the
    online store designed to help people who have forgotten their
    After submitting his e-mail address, as requested by the system, Null
    said he noticed that Apple was hiding a string of letters and numbers
    in the source code to one of the pages designed to confirm users'
    By cutting and pasting that "hash" into a separate page for specifying
    the new password, Null was able to change his password without
    answering the secret question used to authenticate him.
    Last year, Null identified a similar password security problem at the
    eBay website.
    While Apple is renowned for the elegant design of its products, even
    the best software engineers often do not anticipate that users will
    try hard to break their software, according to Bruce Schneier, chief
    technology officer for Counterpane Internet Security.
    "Security is different than other kinds of engineering," said
    Schneier. "Engineering is about making things work. Security is about
    making sure things don't fail badly. You have to assume a malicious
    Null said attackers who commandeered an Apple Store customer's account
    could specify that products be shipped to a "drop spot" location using
    the victim's credit card.
    When a password change is submitted to the Apple Store site, the
    account holder receives an e-mail notification. Such a notice could
    alert a victim of an account hijack, but the user would be unable to
    log in to the account.
    Besides providing access to an array of computer hardware and software
    for sale, Apple's log-in system authenticates customers of the iTunes
    store, which sells downloadable music tracks for 99 cents each. The
    programming error could have enabled malicious users to download music
    at the victim's expense, Null said.
    Apple's Mac.com online publishing service uses a similar system for
    resetting forgotten passwords, but Null said the service did not
    appear to be vulnerable to the cut-and-paste exploit.
    Apple had no immediate information about whether the vulnerability
    lies in the company's WebObjects software used at the store, or
    whether it would affect third-party sites running the software.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue May 06 2003 - 00:18:24 PDT