BOOK THIS SPACE FOR AD
ARTICLE ADQueue poisoning attacks allegedly put accounts at risk of takeover
A security researcher claims they netted $36,000 in bug bounties after uncovering critical HTTP request smuggling vulnerabilities affecting three of Apple’s core web applications.
The bug hunter, a 20-year-old hacker going by the online moniker ‘Stealthy’, said they deployed the same technique to achieve queue poisoning on the domains, paving the way to data disclosure and account takeover with no user interaction required.
The bugs supposedly affected servers for business.apple.com and school.apple.com, which businesses and schools respectively use to manage devices, apps, and accounts, as well as mapsconnect.apple.com, which organizations use to claim and manage business listings on Apple’s maps application.
RELATED HTTP request smuggling bug patched in mitmproxy
The HTTP request smuggling flaws were CL.TE – or ‘’ – issues, whereby “the front-end server reads the header in a request, and the backend server reads the header”, Stealthy explained in a Medium blog post.
Vulnerabilities arise because the servers disagree on where requests begin and end.
Redirecting live users
“A transformation was needed in the header on Apple’s websites using a newline character and then a space in the header name,” said Stealthy.
This change – chunked – “successfully slipped the header past the frontend server but [it] was still used by the backend”.
Based on this observation Stealthy crafted the first proof of concept.
“My smuggled path is because a redirect occurs there, using the header value in the redirect,” continued the researcher. “Thus, I could redirect live users to my server to ensure that the request smuggling affects production users.”
Catch up on the latest Apple security news
This would enable attackers to redirect JavaScript imports and achieve stored cross-site scripting (XSS) on the host.
More impactful still was the servers’ vulnerability to queue poisoning, an attack technique that “smuggles a complete request and breaks the response queue, which will start sending random responses to unintended users”.
All response data, including headers, could be disclosed by this technique, the researcher claims.
Apple responded to the bug report quickly, remediated the vulnerabilities, and paid Stealthy a $12,000 bug bounty reward for each domain.
Apple did not respond to The Daily Swig’s requests for comment.
RECOMMENDED New differential fuzzing tool reveals novel HTTP request smuggling techniques