14 DAY TRIAL // The Apple online store is down worldwide — reason enough to get excited and write a story about it, as usual. But it appears security is the culprit this time around, not new product announcements.
Some Macs are due for a refresh (some, like the Mac Pro, are actually overdue), and we also shouldn’t bet against Apple releasing something new altogether on a Friday. Apple rarely pulls its store down solely for maintenance, but it’s certainly not out of the ordinary either.
Granted, we have very little expectations in terms of a product refresh, especially since it’s a Friday. The company usually makes big announcements on Tuesdays.
If Apple is planning to release an upgraded version of the Mac Pro, the rumors say it’s a complete redesign, which means it might have deserved its own show. But Apple also has a history of refreshing Macintosh computers without building special events around them. MacBook redesigns are a good example of that.
Unfortunately, we shouldn’t expect any of this today.
We’ve received word that a security researcher (referred to as longrifle0x) submitted a cross-site scripting (XSS) vulnerability affecting store.apple.com on 21/01/2012. At the time of submission, it ranked 30 on the web according to Alexa.
The people at xssed.com say they manually validated and published a mirror of this vulnerability on January 24, and that is currently unfixed.
Exploited cross-site scripting vulnerabilities can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to create powerful phishing attacks and browser exploits.
In plain English, with a little social engineering, you can use this to make the Apple online store display whatever you want.
Update: just as this report was getting published online, Apple had fixed the cross-site scripting vulnerability affecting store.apple.com.