Account takeover of any Account/Org and Site wide CSRF bypass on Apple Business Manager https://register.apple.com by chaining multiple Vulnerabilities
Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue.
#Vulnerability Type :
Stored Cross site Scripting (XSS)
Cross site forgery misconfiguration
Insecure Direct Object Reference (IDOR)
#Impact :
1.Takeover Apple Register business Account/Org of any user with multiple ways(added into Attacker scenario section)
2.Site-Wide CSRF bypass
3.Run Javascript into Apple Register business from https://register.apple.com origin.
#Effected Service :
Technical Details of the Bug :
I have found few issues In Apple Business Manager https://register.apple.com . By chaining them Attacker can achieve Full Account Takeover
Of Apple Business Register Account of any Organisation/User.I am first mentioning each issue separately and then I will show the chain attack which results in Takeover the Account.
1.Site-wide Stored XSS in Apple Business Manager Through URL Links
#Summery :
In Apple business manager you have Many places where you can add links . Ex : Your Web links in Organisation details , Your Linkedin Profile link in your Account profile etc. URL Validation is strict at the UI side but it doesn't have any validation at the server side. If you put any Random values to it through proxy tool , it will accepted by the server and will be added as Web link.
If you Add other protocols other them http/https that are also valid and working . Ex -- > javascript: , data: , ftp etc. are such protocols which are working.
When you add javascript: as a protocol then you can add any Javascript code to execute. This leads to Stored XSS. This issue is with all type
Of web links in all type of functions in Apple business register. I am mentioning few of the places/End Points below.
1.Organisation -- > Web links(6 different links)
2.Members -- > member profile -- > Member LinkedIn profile link
3.Organisation Brand Web links
4.Organisation Location web links
5.Places on map web links location
6.Business chat and Health Record on iPhone Web links
#Effected browser :
Safari Latest version , IE Edge and Mobile all Browsers(Tested on Safari and Crome latest versions)
#Steps to reproduce :
For the steps I am taking an example of member profile LinkedIn URL. You can try it in all above mentioned browsers. Latest version of Safari on Mac is working.
1.Login to your account on https://register.apple.com and go to members section.
2.Now select your profile and Edit the personal details.
3.Now add any valid LinkedIn link and save it.
4.Intercept this request through proxy tool like burp and change the Link to below mentioned XSS payload.
Payload used : javascript:alert(document.
5.You will notice that your request will be accepted.
6.Now on your profile you will see link saved with error invalid URL.
7.Click on it and XSS will be triggered.
8.This is very critical as any low privileged user in the organisation can change their profile and all Organisation members will have
Access to it. Hence any low user can attack admins and other members of the organisation .
9.Same as this Example you can try this attack on any of the above mentioned XSS end points.
#POC :
I am attaching few screenshots from different browser for this issue. In the Full video POC you can also see the steps.
1.Latest Safari in Mac OS X
2.Latest google Crome on IOS :
3.Latest Safari on IOS :
#Impact :
1.Any low privileged user like read only users can attack Admins and other members of the users steal their sessions.
2.If your share your Organisation with any other organisation by inviting them , you can have complete access their members sessions.
2.CSRF protection Misconfiguration Site-wide:
#Summery :
In Apple Register Business there are different type of APIs are working. Most of the Organisation related data is handled through GrahQL.
Apart from that different section have their different APIs to communicate. In Most of the case I have found there are no enough CSRF
Protection in place. Currently in most of the API/GraphQL only Origin is validating at server side and Due to Content-type as application/JSON,
It's impossible to make a XHR request other then https://register.apple.com . But If Attacker gets a way to run javascript from the
Origin https://register.apple.com then it's possible to bypass the CSRF protection completely from the https://register.apple.com and then
Attacker will be able to make any XHR Request by writing JS code.
Below are following End points where CSRF can be bypassed :
1.Main organisation data
https://register.apple.com/
2.Business Chat API and messaging service providers
https://register.apple.com/
https://register.apple.com/
3.Places on the Map
https://register.apple.com/
4.Indoor Maps
https://register.apple.com/
5.Public Wifi Networks
https://register.apple.com/
6.Health Record on iPhone
https://register.apple.com/
In all the above APIs it's protected with CSRF by Origin and Content-Type validation.Also in some of them There is a Same-Site LAX cookie
In Few section which completely prevents any Direct Attack of CSRF But if we combine Stored XSS(Running Javascript from Same Origin) and CSRF then we can bypass these protection and CSRF will be bypassed for all above APIs.
I hope you have got the Idea , how it's possible to attack. For POC I am taking an example of adding new user with Admin privileges Public Wifi Networks as the request is very small hence it makes the attack easy and reproducible.
##Vulnerable HTTP Request :
```
POST /wifinetworks/api/
Host: register.apple.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://register.apple.com/
Content-Type: application/json;charset=utf-8
Content-Length: 81
Origin: https://register.apple.com
Connection: close
Cookie: [Cookies]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"fullName":"attacker_user","
```
There is a Origin Validation and content-type validation at the server side and Also Cross origin Browser headers are also preventing the CSRF Normal CSRF Attack.
You can also check for any Requests from Any API and similar kind of protections are in place.
##Ajax Request JS code :
```
<script>
var xhttp = new XMLHttpRequest();
xhttp.open('POST', 'https://register.apple.com/
xhttp.setRequestHeader('
xhttp.withCredentials = true;
xhttp.send(data);
</script>
```
For POC I will directly provide the POC in combined for one of these APIs.
3.IDOR issue in Accept Organisation Invite :
This is the reference from one of my another report where I have reported IDOR issue in Organisation Accept invite(TicketID : 781149576). If Attacker can add his own
Organisation in victim account/ORG and victim will visit the Attacker organisation and click on link. Now Attacker user will be added into victim organisation and now Attacker user will become the admin in victim organisation and takeover the victim Org.
##Chaining All the Attacks :
The first Attack is Stored XSS on https://register.apple.com . With this We can run Javascript code originating from https://register.apple.com.
With the Help of this Attack We can Bypass the CSRF mechanism which will result in making an XHR requests originating from https://register.apple.com.
Now If we look at the most critical actions , we can actually add new User with Admin privileges to the organisation and then remove the original Admin and takeover the complete Apple business register account of Victim.
##Final Payload for POC :
```
javascript:var xhttp = new XMLHttpRequest(); xhttp.open('POST', 'https://register.apple.com/
```
##Steps to reproduce :
For POC you can use any List of End points with the above mentioned POC payload. I will add all the Attack scenario in Impact sections to show the full impact . You can use any browsers mentioned above but I would recommend to use Safari latest version on Mac. To show the steps I am just taking simple example of adding new user with admin privileges in Apple Register Account.
1.Login to https://register.apple.com with Admin Account.
2.Now go to members -- > Edit any member profile.
3.Now in the LinkedIn URL profile section add any LinkedIn profile and save it.
4.Intercept the above step request through burp proxy tool.
5.Now in the request change the URL value to above mentioned Payload for POC.
6.You will notice that your request will be accepted and On the member profile the error message URL is invalid will show.
7.Click on the URL and you will notice that new user with admin privileges will be added as new member.
8.Once the new member is added as admin , attacker can verify the email and remove the main admin and takeover the register account.
I will provide the real attack scenario in Impact section.
##Attack Scenario :
I will try to explain the different attack scenarios with few steps.
1.Takeover any Organisation with invite feature :
In the member section you can invite different organisation. Once you invite victim organisation , your organisation will be added into
All the member accounts of victim Organisation. Below are steps you can follow for taking over victim organisation.
#Steps :
1.Login from Attacker Account as admin and edit your organisation.
2.Now in the website link of your organisation add any link and save it.
3.Intercept this request and change the URL value to above mentioned POC payload.
Note: You can also try to add this payload as many places as possible to trick victim easily.
4.Now go to member section and invite the victim organisation.
5.Victim accept the invitation and new organisation will be added to his and all the members of the organisation.
6.Now any member including admin of victim organisation clicks on the attacker organisation vulnerable Stored XSS URL , new user(attacker) will be added into their own organisation as admin.
7.Now Attacker can accept the invitation and become admin of the victim organisation.
8.Now attacker user can delete the original admins and takeover the victim organisation.
2.Low privilege user can takeover the organisation :
In Apple Business manager every Low privileged user have access to their profile edit. Any user can edit their profile and in add this malicious link
To its profile. Once Admin visits their profile , Attacker user will be added into their profile and now attacker can accept the invitation and become the admin in the organisation . Now attacker can delete admin profile and takeover the organisation.
#Steps :
1.Login from Low privileged user profile(Ex: Read only user, test user)
2.Go to members and select own profile and edit it.
3.Now in the LinkedIn URL profile section add any LinkedIn profile and save it.
4.Intercept the above step request through burp proxy tool.
5.Now in the request change the URL value to above mentioned Payload for POC.
6.You will notice that your request will be accepted and On the member profile the error message URL is invalid will show.
7.Now login from organisation Admin and visit test user profile.
8.Click on the link and new user will be added as admin(attacker user) into the organisation.
9.Now Attacker user can verify and become the admin.
10.Now attacker can remove the admin and takeover the organisation.
3.Takeover any organisation with help of bug IDOR issue in Accept Organisation Invite :
This issue is similar to the 1st Attack scenario but this is little more dangerous. With this Attack without knowledge of victim Attack can add
His own org into victim account and then the same steps will lead to the account takeover of the victim account.
#Video POC :
I am adding a private password protected Video POC.
Link : https://vimeo.com/612555222
Password : applepoc007@
Timeline :
Sept 23th 2021: Report send to Apple product Security Team through Email.
Sept 24th 2021 : Report Accepted and Triaged.
Jan 24th 2021 : Complete issue was resolved and confirmed.
Feb 08th 2021 : 3000$ Bounty Rewarded
Comments
Post a Comment