Apple has finally fixed a security flaw in its application store that for years has allowed attackers to steal passwords and install unwanted or extremely expensive applications.
The flaw arose because Apple neglected to use encryption when an iPhone or other mobile device tries to connect to the App Store, meaning an attacker can hijack the connection. In addition to a security flaw, the unencrypted connections also created a privacy vulnerability because the complete list of applications installed on the device are disclosed over Wi-Fi.
It also allows the installation of apps, including extremely expensive ones that top out at $999.99, without the user's consent, which can create serious consequences because Apple doesn't give refunds. To do this, an attacker needs to be on the same private or public Wi-Fi network, including, for example, a coffeeshop, hotel, or airport network.
Security researcher Elie Bursztein discovered the vulnerability and reported it to Apple last July. Apple fixed the problem in a recent update that said "content is now served over HTTPS by default." Apple also thanked Bernhard Brehm of Recurity Labs and Rahul Iyer of Bejoi.
An Apple representative declined to respond to questions from CNET this morning, including a query about why it took so long to fix this particular vulnerability.
Bursztein, who works at Google, in Mountain View, Calif., but emphasized this was work done at home in his spare time, published a personal blog post today that described details about the App Store vulnerability and included videos of how an attacker was able to steal passwords or install unwanted apps.
Publicizing this flaw, Bursztein said, highlighted how necessary encrypted HTTPS connections were. "Many companies don't realize that HTTPS is important for mobile apps," he said. But if they rely on Web connections or Webviews, he added, they are vulnerable to attacks: "Providing a concrete example seems a good way to attract developer attention to the issue."
As a postdoctoral researcher at Stanford University, Bursztein published research that included demonstrating flaws in Captchas and the Web interfaces of embedded devices. At the Defcon conference in Las Vegas two years ago, he demonstrated how to bypass Windows' built-in encryption that Web browsers, instant messaging clients, and other programs used to store user passwords.
CNET's Josh Lowensohn contributed to this report