14 DAY TRIAL // The hacker known as Freedom helped Apple address a couple of cross-site scripting (XSS) vulnerabilities that affected one of the company’s public-facing websites.
This is another interview that’s meant to demonstrate that companies can work well with hackers when it comes to securing their systems against malicious attacks.
This is not the first time when this particular security expert finds something interesting, but we believe he represents a good example for hackers when it comes to the proper way of handling vulnerabilities and their disclosure.
Softpedia: How did you find the vulnerability?
Freedom: I was on Apple’s site as I was looking for a new iPhone and I saw that you could make an "Apple ID." So, I thought “OK, you never know when it will come in handy.”
After I had my ID made, I was setting up my profile on https://discussions. apple.com/people/<removed>
I came to a part called “My products” which had the option to pick what Apple stuff you use (i.e. iPod, Mac, and so on). Also you can pick the Operating System that your Apple stuff uses.
Being a curios person, I looked at the page’s source and came to a section of it that looked a bit like this:
<optgroup id="allGroup" label="All Products"> <option value="iPad 2" >iPad 2</option> <option value=" iPad" > iPad</option> <option value="iPhone 4S" >iPhone 4S</option> <option value="iPhone 4" >iPhone 4</option>
After seeing this, I wanted to test it because something was telling me it was not secure. It just looked wrong.
So, using the Firefox add-on (Firebug), I edited the elements of the option box and changed "<option value="iPad">iPad</option>" to <option value="<img src=1.gif onerror=alert(test)>"> iPad</option> and then submitted the data.
Now, when I went to the “My profile” page, my code had gone through successfully and I was presented with a persistent alert box.
Softpedia: What were the risks posed by such a flaw?
Freedom: This issue was a high risk issue as it could have been used to steal user information and make an XSS tunnel or even set up an XSS worm.
This bug was also an issue when making a post on the site.
Softpedia: How did you report your findings to Apple?
Freedom: After finding these issues I sent an email to Apple via [email protected]. It took almost 30 minutes to find this email and it was the wrong one. LOL.
But the person I talked to, Maria, was very helpful and went out of her way to find the right email address: [email protected].
There, I talked to Jeffrey Czerniak who was very helpful and kept me updated with what was going on. He thanked me a lot for my input and my report.
I would like to note that Apple should make their security email easier to find as it took me some time to find the right place.
Softpedia: How long did it take for the company to address the vulnerability?
Freedom: It took Apple about a week to get it fixed and tested. When they had it done, they wanted to acknowledge me for my finds and my report, so they added me to their hall of fame: 2012-04-04 discussions.apple.com
A cross-site scripting issue was addressed. We would like to acknowledge Freedom of DIY-HACK.com for reporting this issue.
2012-04-04 discussions.apple.com
A reflected cross-site scripting issue was addressed. We would like to acknowledge Freedom of DIY-HACK.com for reporting this issue.
Softpedia: What do you think about this experience?
Freedom: It is good to know that some companies do care about security and listen to people like me. So a big thanks you to apple.com.
It's been a very good experience, I only wish it was like that with all the reports I send in to other companies too.