Apple paid out $36,000 bug bounty for HTTP request smuggling flaws

by | Apr 8, 2022 | News

apple bug bounty http smuggling vulnerabilities

Post Views: 841

 

 

 Advanced Enumeration techniques with NMAP, Zenmap and Hydra

 Subscribe to Patreon to watch this episode.

 

Reading Time: 1 Minute

A security researcher claims they netted $36,000 in bug bounties after uncovering critical HTTP request smuggling vulnerabilities affecting three of Apple’s core web applications.

 

The bug hunter, a 20-year-old hacker going by the online moniker ‘Stealthy’, said they deployed the same technique to achieve queue poisoning on the domains, paving the way to data disclosure and account takeover with no user interaction required.

The bugs supposedly affected servers for business.apple.com and school.apple.com, which businesses and schools respectively use to manage devices, apps, and accounts, as well as mapsconnect.apple.com, which organizations use to claim and manage business listings on Apple’s maps application.

The HTTP request smuggling flaws were CL.TE – or ‘Content-Length Transfer-Encoding’ – issues, whereby “the front-end server reads the Content-Length header in a request, and the backend server reads the Transfer-Encoding header”, Stealthy explained in a Medium blog post.

Vulnerabilities arise because the servers disagree on where requests begin and end.

 

 

 

See Also: Complete Offensive Security and Ethical Hacking Course

 

 

 

Solutions

 

Redirecting live users

 

“A transformation was needed in the Transfer-Encoding header on Apple’s websites using a newline character and then a space in the header name,” said Stealthy.

This change – Transfer-Encoding\n : chunked – “successfully slipped the header past the frontend server but [it] was still used by the backend”.

Based on this observation Stealthy crafted the first proof of concept.

“My smuggled path is /static/docs because a redirect occurs there, using the Host header value in the redirect,” continued the researcher. “Thus, I could redirect live users to my server to ensure that the request smuggling affects production users.”

 

 

 
 
 

 

 

This would enable attackers to redirect JavaScript imports and achieve stored cross-site scripting (XSS) on the host.

More impactful still was the servers’ vulnerability to queue poisoning, an attack technique that “smuggles a complete request and breaks the response queue, which will start sending random responses to unintended users”.

All response data, including Set-Cookie headers, could be disclosed by this technique, the researcher claims.

Apple responded to the bug report quickly, remediated the vulnerabilities, and paid Stealthy a $12,000 bug bounty reward for each domain.

 

See Also: Offensive Security Tool: Scapy

 

 

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

 

 

 

See Also: Hacking stories: MafiaBoy, the hacker who took down the Internet

 

Source: portswigger.net

Source Link

 

 

 

 

 

Merch

Share This