iTunes Man In The Middle Vulnerability Leading To Stolen Apple Login Credentials
Description, Impact, Cause & Mitigating Actions :
THINKSECURE PTE LTD has discovered that all iTunes version before version 11.0.3 released on 16 May 2013 did not check for the validity of the signing CA before establishing an SSL connection with the server when accessing a particular URL. This could lead to a man-in-the-middle (MITM) scenario where an attacker can potentially trick a victim to login with the victim's Apple login credentials using iTunes and stealing said credentials via a SSL MITM attack.
We have named this vulnerability as the iTunes Man In The Middle vulnerability. This issue was reported to Apple and it has also been assigned CVE-ID #CVE-2013-1014.
Victims would most likely be social-engineered into clicking on a link or visiting a site which is controlled by the attacker.
When the link is accessed, iTunes would automatically be started and it would then prompt the victim to enter his/her Apple credentials in order to view the victim's personal records stored at Apple's backend platform.
There is no warning message from iTunes that anything is wrong at this point.
In order to execute the SSL MITM attack, the attacker would first need to position him/herself in the same network segment as the victim. The attacker would then be able to use a standard SSL MITM attack to steal the victim's Apple login credentials.
A victim's Apple login credentials is a very important piece of information that would allow the attacker to perform many actions on behalf of the victim.
Some of the more malicious activities that the attacker can perform using the victim's Apple login credentials are as follows :
1. The attacker can login to the victim's iCloud account at https://www.icloud.com using the stolen account credentials which would then allow the attacker to view the victim's mobile devices' emails, contacts, calendar, notes, reminders and iWork documents which are synced to the iCloud by default.
The attacker can potentially even track the victim's mobile devices' geographical location via the "Find My iPhone" functionality as well as remotely wipe all of victim's mobile devices which are tied-in to that particular iCloud account.
2. The attacker can purchase items from Apple's appstore and the iTunes store using the stolen account credentials and the cost of the purchase would be billed to the victim.
3. The attacker can login to iTunes on another machine using the stolen account credentials and position him/herself on the same network as the victim. If the sharing function on the victim's iTunes installation is turned on, it would allow the attacker to start copying contents from the victim's iTunes software over the network.
In our testing, we have identified the problem URL as itmss://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/accountSummary .
Thus if an attacker were to send this link to a victim via email or redirect the user to this link from an attacker-controlled website, the above attack scenario can then be used to steal the victim's Apple credentials.
Apple was informed of this on 12 Mar 2013 and we held off announcing the technique (responsible disclosure) until Apple came out with a fix for the issue on 16 May 2013.
The iTunes version 11.0.3 released on 16 May 2013 has been tested to have fixed this vulnerability.
Apple's description of the issue can be located at http://support.apple.com/kb/HT5766, which is linked from http://support.apple.com/kb/HT1222.
Apple security updates are available via the Software Update mechanism: http://support.apple.com/kb/HT1338 and are also available for manual download via: http://www.apple.com/support/downloads/.
Vulnerability Discovery Acknowledgments:
Christopher Low of THINKSECURE PTE LTD discovered and researched on this vulnerability from Dec 2012 to Jan 2013.
This Website Is Designed To Be Viewed At 1024x768 Resolution and 24-bit color using Arial, Stencil Std & Lucida Console fonts.
Copyright © 2004-2016 THINKSECURE® PTE LTD ("ThinkSECURE"). All Rights Reserved. Any reproduction, storage or transmission of any of the contents of this website, without the express and written consent of ThinkSECURE Pte Ltd is strictly prohibited. Use of this site is subject to our Terms & Conditions. The "THINKSECURE" brand name is a registered trademark of THINKSECURE PTE LTD in Singapore and a trademark of THINKSECURE PTE LTD in certain other countries. The ThinkSECURE device is a trademark of THINKSECURE PTE LTD in Singapore and certain other countries.