In a report published by Vulnerability Lab’s Benjamin Kunz Mejri, it was revealed that users of the Apple App Store are at risk. The risk is due to a vulnerability that exists in the iOS Notify function that allows for remote script injection. Notify, as explained in an article by Kaspersky Lab’s Threatpost, “takes information from the device, such as iCloud credentials or devicename values, to alert users when a soon-to-launch application debuts.”
According to the Vulnerability Lab report, an input validation vulnerability and mail encode vulnerability is to blame for the possible remote code injection. The exploitation of these flaws can be achieved via low-privilege accounts and eventually lead to session hijacking, phishing, page redirection, and so many more malicious activities. As such, the CVSS (Common Vulnerability Scoring System) rating is 3.8, which puts it at a medium threat.
The good news is that Apple has confirmed that they are not only aware of this issue, they are also working on a patch to eliminate the problem. In an interview with Threatpost, Mejri stated that he “contacted Apple’s Product Security Team about the issues on Dec. 15 and acknowledged that the vulnerability should be able to be resolved on the server-side.” He added that a temporary patch has been implemented and a full fix is expected soon.
Apple tends to be fairly efficient with their patches, but one should not take the temporary patch to mean that they are completely safe until the full patch. I would personally advise limiting usage of any function related to Notify at this moment and not resume it until the patch is rolled out. Additionally, I would like to point out that this particular exploit is eerily similar to another remote code injection vulnerability reported by Vulnerability Lab and subsequently patched by Apple over a year ago.
It would do Apple well to re-evaluate the coding that they are utilizing that is consistently leaving their massive user base at risk to remote code injection. The last thing a tech company of Apple’s stature needs is a mass hacking incident brought on by faulty code.