Apple Squashes E-Store ID Bug

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/privacy/0,1848,58718,00.html

By Brian McWilliams 
May. 05, 2003 

Apple Computer said it fixed a security flaw at its online store late
last week that could have enabled attackers to hijack customers'
accounts and place fraudulent orders.

The flaw, discovered by an anonymous Canadian security researcher who
uses the nickname "Null," potentially allowed malicious users to
change Apple Store customers' passwords and gain control of the
victims' account data.

Information stored by Apple includes customers' names, mailing
addresses, telephone numbers, order histories and credit card
information.

To steal an Apple Store customer's account, a malicious user merely
needed to know the victim's e-mail address.

Once in control of an account, an attacker potentially could have
ordered computer products from the store or downloaded music from
Apple's new iTunes Music Store using the victim's credit card number
on file.

An intruder would not, however, have been able to retrieve the
complete credit card number and use it outside of the Apple Store.

Apple representatives said the company corrected the problem Friday,
but declined to provide details of the fix. Spokesman Bill Evans said
Apple does not believe any customers were affected by the
vulnerability.

"We take all reports of security vulnerabilities seriously, and we
create a fix as soon as possible. We've had a track record of being
able to respond quickly," said Evans.

After being contacted by Null last Wednesday and easily confirming his
discovery using a test account, Wired News notified Apple of the
problem.

Null said he discovered the vulnerability at Apple.com using the "view
source" option in his Web browser while visiting a section of the
online store designed to help people who have forgotten their
passwords.

After submitting his e-mail address, as requested by the system, Null
said he noticed that Apple was hiding a string of letters and numbers
in the source code to one of the pages designed to confirm users'
identities.

By cutting and pasting that "hash" into a separate page for specifying
the new password, Null was able to change his password without
answering the secret question used to authenticate him.

Last year, Null identified a similar password security problem at the
eBay website.

While Apple is renowned for the elegant design of its products, even
the best software engineers often do not anticipate that users will
try hard to break their software, according to Bruce Schneier, chief
technology officer for Counterpane Internet Security.

"Security is different than other kinds of engineering," said
Schneier. "Engineering is about making things work. Security is about
making sure things don't fail badly. You have to assume a malicious
adversary."

Null said attackers who commandeered an Apple Store customer's account
could specify that products be shipped to a "drop spot" location using
the victim's credit card.

When a password change is submitted to the Apple Store site, the
account holder receives an e-mail notification. Such a notice could
alert a victim of an account hijack, but the user would be unable to
log in to the account.

Besides providing access to an array of computer hardware and software
for sale, Apple's log-in system authenticates customers of the iTunes
store, which sells downloadable music tracks for 99 cents each. The
programming error could have enabled malicious users to download music
at the victim's expense, Null said.

Apple's Mac.com online publishing service uses a similar system for
resetting forgotten passwords, but Null said the service did not
appear to be vulnerable to the cut-and-paste exploit.

Apple had no immediate information about whether the vulnerability
lies in the company's WebObjects software used at the store, or
whether it would affect third-party sites running the software.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.