Apple - IDOR worth 10,000$ in Apple Customers and Apple store owners online Service
Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue.
Access to All the Files and Attachments of messages of Customers and Apple store owners on https://apple.channel.support(
Target Information :
Technical Details of the Bug :
On the https://apple.channel.support you can locate the Apple store and contact them with your queries about anything .
You need to select the Store through Location and create a ticket with your query. Once you create ticket customer and store owner can Communicate with them through messages. With the messages you can attach files to explain your Queries. The HTTP request to Access to these Attachments is vulnerable to IDOR issue which leads to access any attachment on this domain.
Vulnerable Link/Request :
Changing the message_id and attachment ID to victim ID will let you access the Attachment.
Here Ticket_ID is supposed to be of Attacker only but you need to change message_id and attachment ID to victim attachment .
Steps to reproduce :
Create 2 accounts. Attacker and victim.
1.Login from victim account on https://apple.channel.support and create a new ticket with any location store owner.
2.Once ticket is created add new message with attachment .
3.Once your Attachment is uploaded , copy the link.
Ex link :
4.Now login from Attacker account and create a new ticket and add attachment in message.
Ex attachment Link would be :
5.Now from attacker account modify the link ad below .
6.So you need to keep the ticket ID of attacker only but change the message_ID and attachment ID to victim .
7.Access the URL and you will be able to view the attachment of victim.
How can you access All the Attachments on https://apple.channel.support .
No change is required in Ticket ID . Hence only message_id and attachment ID needs to be current.
message_id and attachment ID both are 7 digit values. Both are increasing values synchronous manner.
Ex :
As you can see as you increase the message_ID , attachment ID is increasing in synchronous manner. This is very helpful when Attacker wants to extract all the attachment of the domain.
Keeping one message ID same and brute forcing attachment ID will give you attachment details with in few seconds.
If you have great server and proper setup , you can capture all attachments within a Day.
POC :
I ran some brute forcing and already found results with above technic. I am attaching the POC from my Burp intruder and related results just to confirm my issue.
As you can see some brute forcing like 1000 request gave me 4 valid files with normal burp intruder.
Impact :
Few of The Attachment File I found had Invoices , Personal Device data , Damaged images of Apple devices etc in PDF and Image format.
All this data looked pretty sensitive to me. Also All the Store Owners and Customer data will be at risk with this issue.
Timeline :
Dec 04th 2020: Report send to Apple product Security Team through Email.
Dec 05th 2020: Report Accepted and Triaged.
Dec 06th 2020: Complete issue was resolved and confirmed.
Jan 15th 2021: 10000$ Bounty Rewarded
Comments
Post a Comment