Full Report
[part 5 in a series of 5 video write-ups from our BlackHat 09 talk, summary here] Goal The final installment of our BlackHat video series showcases weaknesses in the password reset feature for Apple’s MobileMe service as well as publicizing an XSS vulnerability in the application. At first glance the choice of MobileMe may seem arbitrary, but it was useful for a number of reasons. MobileMe is one of the more popular consumer-focused cloud services and it’s a good example of the feature-creep that’s a hallmark of cloud systems. By compromising a user’s MobileMe account an attacker has access to much more than just the user’s mail. With each new feature addition the user is sucked into the service a little more until most of their data is stored within MobileMe, and a compromise of the account becomes serious for the user.
Analysis Summary
# Vulnerability: Apple MobileMe Password Reset Flaw and Stored XSS
This summary is based on findings presented at BlackHat 2009 regarding Apple MobileMe vulnerabilities, specifically focusing on password reset weaknesses and an XSS flaw in the "Find My iPhone" integration.
## CVE Details
* **CVE ID:** Not explicitly assigned or listed in the provided text for the specific password reset flaw or XSS.
* *Note: The article publicizes the flaw but does not reference a specific CVE ID.*
* **CVSS Score:** Not provided.
* **CWE:** Relevant CWEs would likely include CWE-311 (Missing Encryption for Data in Transit) or flaws related to insecure direct object reference/insufficient authentication for password recovery, and CWE-79 (Improper Neutralization of Input During Web Page Generation) for XSS.
## Affected Systems
* **Products:** Apple MobileMe service (including web interface and iPhone integration).
* **Versions:** All versions vulnerable prior to patches being released (specific version numbers not provided).
* **Configurations:** Affected users who utilized the password reset feature or synced an iPhone whose name field was modified.
## Vulnerability Description
### 1. Password Reset Weakness
The password reset mechanism relied heavily on obtaining two pieces of easily discoverable or guessable information: the user's **birthdate** (often available publicly via social media or other online profiles) and the answer to a **secret question**. By combining publicly available data enumeration techniques (previously disclosed methods for enumerating usernames were leveraged) with guessable secret answer knowledge, an attacker could successfully initiate and complete a password reset for a target user's MobileMe account.
### 2. Stored Cross-Site Scripting (XSS) in iPhone Name
A Stored XSS vulnerability existed in the integration between an iPhone synced to MobileMe, specifically on the "Find My iPhone" web page. By injecting arbitrary JavaScript into the **name field** of the synced iPhone, that script would execute when the MobileMe service displayed the device name. The complexity involved overcoming two points of truncation within the page output by extending the injected name field length.
## Exploitation
* **Status:** PoC demonstrated against a test account and against Steve Wozniak's account (stopping short of changing the password). The XSS vulnerability was confirmed to be patched by Apple.
* **Complexity (Password Reset):** Low to Medium. Required initial enumeration followed by targeted guessing/social engineering for the secret question.
* **Complexity (XSS):** Medium. Required knowledge of the specific truncation points in the output rendering.
* **Attack Vector:** Network (remote web exploitation).
## Impact
Compromise of a MobileMe account grants access to sensitive aggregated data typical of cloud services (mail, calendar, photos, contacts, location data).
* **Confidentiality:** High (Access to sensitive personal and organizational data).
* **Integrity:** High (Ability to alter calendar entries, delete data, or change account settings).
* **Availability:** Medium (Potential for data deletion or account lockout).
* **XSS Impact:** High (Persistent injection leading to session hijacking or credential theft upon subsequent page loads).
## Remediation
### Patches
* Specific patch versions are not cited in the source material.
* **Status:** Apple has since patched the XSS bug. It is assumed a fix was released for the password reset logic deficiencies following this disclosure.
### Workarounds
* Avoid using easily guessable answers for secret questions.
* Ensure secret questions/answers utilize information not publicly available across various online profiles.
* Use strong, unique passwords and, if available, utilize multi-factor authentication (though MFA was less common in 2009).
## Detection
* **Indicators of Compromise:** Unexpected password reset requests, unexplained changes to account settings, presence of unusual JavaScript execution when viewing device lists in MobileMe, or unusual outbound traffic originating from linked devices/accounts.
* **Detection Methods and Tools:** Monitoring authentication/password reset logs for frequent failed attempts tied to weak personal recovery data. Web Application Firewalls (WAFs) monitoring requests containing characteristic XSS payloads in HTTP parameters associated with device names.
## References
* Vendor Advisories: Apple Security Updates (specific advisory references not provided).
* Relevant Links: Attacks publicized during BlackHat 2009 presentations (SensePost). (URLs defanged due to instructions).
* sensepost com/blog/3736 html (Link to the primary write-up series summary)
* techcrunch com/2008/08/21/an-easy-way-to-retrieve-the-entire-mobileme-user-email-list/ (Reference to prior username enumeration discovery)