Apple paid $36,000 bug bounty for HTTP request smuggling flaws on core web apps – research
Adam Bannister Apr 07, 2022 at 12:54 PM UTC
Updated: April 07, 2022 12:56 UTC
Queue poisoning attacks would have put accounts at risk of takeover
A security researcher claims to have reaped $36,000 in bug bounties after discovering critical HTTP request smuggling vulnerabilities affecting three of Apple’s major web applications.
The bug hunter, a 20-year-old hacker who calls himself online’Stealth‘, said they deployed the same technique to achieve queue poisoning on domains, paving the way for data disclosure and account takeover with no user interaction required.
The bugs reportedly affected servers for businesses.apple.com and school.apple.comthat businesses and schools use to manage devices, apps, and accounts, respectively, as well as mapsconnect.apple.comthat organizations use to claim and manage business listings on Apple’s Maps app.
RELATED Fixed HTTP request smuggling bug in mitmproxy
The HTTP request smuggling flaws were CL.TE – or ” – issues, in which “the front-end reads the header of a request and the back-end reads the header,” Stealthy explained. in a Medium. blog post.
The vulnerabilities arise because servers disagree about when requests begin and end.
Redirect live users
“A transformation was needed in the header of Apple websites using a newline character and then a space in the header name,” Stealthy said.
This change – fragmented – “succeeded in getting the header past the front end, but [it] was still used by the backend”.
Based on this observation, Stealthy developed the first proof of concept.
“My smuggling path is because a redirect happens there, using the header value in the redirect,” the researcher continued. “That way I could redirect live users to my server to make sure request smuggling affects production users.”
Keep up to date with the latest security news from Apple
Even more impactful was the servers’ vulnerability to queue poisoning, an attack technique that “smuggles a complete request and breaks the response queue, which will begin sending random responses to unintentional users”.
All response data, including headers, could be leaked by this technique, the researcher claims.
Apple responded quickly to the bug report, fixed the vulnerabilities, and paid Stealthy a bug bounty of $12,000 for each domain.
Apple did not respond to The daily sip‘s requests for comments.
RECOMMENDED New Differential Fuzzing Tool Reveals New HTTP Request Smuggling Techniques