A security researcher claims they netted $36,000 in bug bounties after uncovering critical HTTP request smuggling vulnerabilities affecting three of Apple’s core web applications.
The bug hunter, a 20-year-old hacker going by the online moniker ‘Stealthy’, said they deployed the same technique to achieve queue poisoning on the domains, paving the way to data disclosure and account takeover with no user interaction required.
The bugs supposedly affected servers for business.apple.com and school.apple.com, which businesses and schools respectively use to manage devices, apps, and accounts, as well as mapsconnect.apple.com, which organizations use to claim and manage business listings on Apple’s maps application.
The HTTP request smuggling flaws were CL.TE – or ‘Content-Length Transfer-Encoding’ – issues, whereby “the front-end server reads the Content-Length header in a request, and the backend server reads the Transfer-Encoding header”, Stealthy explained in a Medium blog post.
Vulnerabilities arise because the servers disagree on where requests begin and end.
Redirecting live users
“A transformation was needed in the Transfer-Encoding header on Apple’s websites using a newline character and then a space in the header name,” said Stealthy.
This change – Transfer-Encoding\n : chunked – “successfully slipped the header past the frontend server but [it] was still used by the backend”.
Based on this observation Stealthy crafted the first proof of concept.
“My smuggled path is /static/docs because a redirect occurs there, using the Host header value in the redirect,” continued the researcher. “Thus, I could redirect live users to my server to ensure that the request smuggling affects production users.”
This would enable attackers to redirect JavaScript imports and achieve stored cross-site scripting (XSS) on the host.
More impactful still was the servers’ vulnerability to queue poisoning, an attack technique that “smuggles a complete request and breaks the response queue, which will start sending random responses to unintended users”.
All response data, including Set-Cookie headers, could be disclosed by this technique, the researcher claims.
Apple responded to the bug report quickly, remediated the vulnerabilities, and paid Stealthy a $12,000 bug bounty reward for each domain.
Apple did not respond to The Daily Swig’s requests for comment.