Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Apple paid out $36,000 bug bounty for HTTP request smuggling flaws on core web apps – research

A security researcher claims they netted $36,000 in bug bounties after uncovering critical HTTP request smuggling vulnerabilities affecting three of Apple’s core web applications.

The bug hunter, a 20-year-old hacker going by the online moniker ‘Stealthy’, said they deployed the same technique to achieve queue poisoning on the domains, paving the way to data disclosure and account takeover with no user interaction required.

The bugs supposedly affected servers for business.apple.com and school.apple.com, which businesses and schools respectively use to manage devices, apps, and accounts, as well as mapsconnect.apple.com, which organizations use to claim and manage business listings on Apple’s maps application.

The HTTP request smuggling flaws were CL.TE – or ‘Content-Length Transfer-Encoding’ – issues, whereby “the front-end server reads the Content-Length header in a request, and the backend server reads the Transfer-Encoding header”, Stealthy explained in a Medium blog post.

Vulnerabilities arise because the servers disagree on where requests begin and end.

Redirecting live users

“A transformation was needed in the Transfer-Encoding header on Apple’s websites using a newline character and then a space in the header name,” said Stealthy.

This change – Transfer-Encoding\n : chunked – “successfully slipped the header past the frontend server but [it] was still used by the backend”.

Based on this observation Stealthy crafted the first proof of concept.

“My smuggled path is /static/docs because a redirect occurs there, using the Host header value in the redirect,” continued the researcher. “Thus, I could redirect live users to my server to ensure that the request smuggling affects production users.”

This would enable attackers to redirect JavaScript imports and achieve stored cross-site scripting (XSS) on the host.

More impactful still was the servers’ vulnerability to queue poisoning, an attack technique that “smuggles a complete request and breaks the response queue, which will start sending random responses to unintended users”.

All response data, including Set-Cookie headers, could be disclosed by this technique, the researcher claims.

Apple responded to the bug report quickly, remediated the vulnerabilities, and paid Stealthy a $12,000 bug bounty reward for each domain.

Apple did not respond to The Daily Swig’s requests for comment.

Source: https://portswigger.net/daily-swig/apple-paid-out-36-000-bug-bounty-for-http-request-smuggling-flaws-on-core-web-apps-research

Advertisement. Scroll to continue reading.
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Belgium became a haven for ethical hackers following the adoption of a nationwide safe harbor agreement last month. The framework means that well-intentioned security researchers are free...

Cyber Security

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward....

Cyber Security

Apache has resolved a vulnerability potentially exploitable to launch remote code execution (RCE) attacks using Kafka Connect. Announced on February 8, the critical vulnerability...

Cyber Security

KeePass has become the latest password manager utility obliged to defend its reputation following the discovery of an alleged vulnerability. Security researchers warned that it might be...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO