The security team of Resecurity has published a report on how they accessed one of the Apple API’s which is responsible for the Apply Payment supplies.
Finding their target
The security team of Resecurity quickly identified an domain of interest, the domain in question provides Apple Pay Supplies, which allows the users to order Apple related Kits such as `Apple Pay Decals Kit` and `Apple Pay Signage Kit`.
Resecurity is a cyber security company that delivers a unified platform for endpoint protection, risk management, and threat intelligence for large enterprises and government agencies worldwide.
Resecurity
Their initial access point
Once on the site, the security team created an order, in the order URL, they noticed that the orderid string could be bruteforced. They created an quick tool and after a while, they noticed that this was an dead end as the data was not provided via the browser as they would get a blank page.
We were not able to perform the attack by hitting Submit button nor were we able to intercept the request as the Application was using a front-end fetching mechanism via a JavaScript thus no backend request was related to the target URL. So, we needed to analyze the JavaScript Files / Burp History and check for an API to see how the data is being fetched and retrieved.
Resecurity on getting the blank page
They continued to investigate the site and they found an API. The API didn’t have the needed checks to counter the previous steps taken by the team of Resecurity and by bruteforcing the API they were actually able to retrieve data. This attack allowed anyone to view the post address of the orders which were made in the past. Resecurity of course reported this and Apple fixed the bug.
However
The security team continued to check the site after the fix, and again they were able to brute force the orderID by encrypting their queries with CryptoJS. This was also reported to Apple. Apple responded and performed the fixes on this.
We analyzed how the Encryption is implemented within the Application, and with the help of our Friend Max (h1 Profile), We wrote a script to encrypt the required values using the CryptoJS library as the Application did, we could then brute force the Order Number again.
Resecurity on the second fix of Apple