Apple Store security flaw

Published on:

According to Wired News, "Apple Computer said it fixed a security flaw at its online store late last week that could have enabled attackers to hijack customers' accounts and place fraudulent orders. "

Apple has licensed 1-Click™ from Amazon, which consists simply of storing the client's credit card information on file and allowing for buying online without having to re-enter this information during checkouts. Apple said that an attacker would not have been able to retrieve the full credit card number, however it would have been possible to place order on the Apple Store as well as the new music store.

Call me paranoid, but that is exactly why I resent storing sensitive information on foreign systems.

The flaw was discovered by an anonymous Canadian security researcher, nicknamed "Null", who simply looked at the source of the page that helps users reset their password:

After submitting his e-mail address, as requested by the system, Null said he noticed that Apple was hiding a string of letters and numbers in the source code to one of the pages designed to confirm users' identities.

By cutting and pasting that "hash" into a separate page for specifying the new password, Null was able to change his password without answering the secret question used to authenticate him.

Last year, Null identified a similar password security problem at the eBay website.

This kind of flaw is obviously due to bad coding practices, i.e. passing sensitive information from page to page where malicious users can view and compromise them during their journey through the browser. There are other well known examples -- I think specifically of the ability to compromise scripts variables in old versions of PHP which led to similar bad coding and flaws. Despite this, Wired throws Apple's own technology in the mud:

Apple had no immediate information about whether the vulnerability lies in the company's WebObjects software used at the store, or whether it would affect third-party sites running the software.

Wired would have been better serving its audience in hinting on the coding practices and remind programmers that this can happen with any technology.