Apple Store security flaw

According to Wired News, "Apple Computer said it fixed a security flaw at its online store late last week that could have enabled attackers to hijack customers' accounts and place fraudulent orders. "

Apple has licensed 1-Click™ from Amazon, which consists simply of storing the client's credit card information on file and allowing for buying online without having to re-enter this information during checkouts. Apple said that an attacker would not have been able to retrieve the full credit card number, however it would have been possible to place order on the Apple Store as well as the new music store.

Call me paranoid, but that is exactly why I resent storing sensitive information on foreign systems.

The flaw was discovered by an anonymous Canadian security researcher, nicknamed "Null", who simply looked at the source of the page that helps users reset their password:

After submitting his e-mail address, as requested by the system, Null said he noticed that Apple was hiding a string of letters and numbers in the source code to one of the pages designed to confirm users' identities.

By cutting and pasting that "hash" into a separate page for specifying the new password, Null was able to change his password without answering the secret question used to authenticate him.

Last year, Null identified a similar password security problem at the eBay website.

This kind of flaw is obviously due to bad coding practices, i.e. passing sensitive information from page to page where malicious users can view and compromise them during their journey through the browser. There are other well known examples -- I think specifically of the ability to compromise scripts variables in old versions of PHP which led to similar bad coding and flaws. Despite this, Wired throws Apple's own technology in the mud:

Apple had no immediate information about whether the vulnerability lies in the company's WebObjects software used at the store, or whether it would affect third-party sites running the software.

Wired would have been better serving its audience in hinting on the coding practices and remind programmers that this can happen with any technology.

mensuelles Archives

Recent Entries

  • Steve Jobs

    "Remembering that I’ll be dead soon is the most important tool I’ve ever encountered to help me make the big choices in life. Because...

  • Your privacy on MOTOBLUR by Motorola

    After the Nokia Ovi Store carelessness, it's now Motorola who's allowing strangers to get access to your private information on their MOTOBLUR portal. Exactly like...

  • How to resume a broken ADC download

    (I'm documenting this trick for myself to remember, but it can be useful for others…) Apple, on its Apple Developer Connection site, has a bad...

  • WTF is this ‘myEventWatcherDiv’ doing in my web?

    All of a sudden I started to find the following line in most of the web pages I was browsing, including ones I made where...

  • Your privacy on Nokia Ovi Store

    My friend Adam Greenfield recently complained about the over-engineering culture at Nokia: I was given an NFC phone, and told to tap it against the...