Hello, My name is Faizan. I’m a security researcher. Hope you like this blog. If you’ve any questions please feel free to reach out .
Apple has a security program under which it invites private security researchers to hack them and report the flaws in a coordinated and confidential manner. This hit my mind one day, and I decided to look around their servers.
TL;DR Version : I was going through the domains owned by Apple, and starting testing out domains which are recently acquired or very less known to other security researchers is what is the most time saving approach, But I decided otherwise. I started testing iforgot.apple.com (one of the primary subdomains of Apple)- which is used by almost every Apple User in order to reset their password. After playing around for a while, I figured I could send a random text as a phone number to the server(which is okay), but at this moment I thought of trying out some injections. I investigated this more and changed the request method — From POST to GET and it disclosed information about the user without authentication. I reported this to Apple and after few discussions and presenting a solid exploitation scenario to the team, they decided to fix this up and added me to their Web Server Notification Hall Of Fame.
Let’s get into the fancy part- Here’s the procedure.
- Attacker visits iforgot endpoint and enters victim’s Apple ID.
2. Apple Before allowing the attacker to reset password tries to verify that the attacker really owns the Apple ID, so it asks attacker to enter the mobile number associated with the Apple ID to verify the ownership.
3. Attacker enters a very random value.
4. The request uses an HTTP POST to deliver the phone number to server in order to verify.
5. The attacker changes the HTTP method (POST to GET) to read information.
What Could an attacker read?
1) The country victim lives in. (via country code, which from the front end UI is not displayed)
2) Whether his device can be reset with another device.
3) Whether his account is a paid one.
4) Whether family device pairing is enabled on his Apple id.
5) Whether his current device supports remote unlocking.
This information could've aided an adversary in multiple ways (With this information one could think of preparing a massive Apple ID list , which published most vulnerable Apple Users worldwide) and this violated Apple’s commitment to safeguard User’s data and information.