Apple Support iOS Application 1.1.1 Unencrypted Third Party Analytics

2017.10.25
Credit: David Coomber
Risk: Low
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Apple Support iOS Application - Unencrypted Third Party Analytics (CVE-2017-7147) Overview "Need help? Apple Support app is your personalized guide to the best options from Apple. Find answers with articles tailored to your products and questions. Call, chat or email with an expert right away, or schedule a callback when itas convenient. Get a repair at an Apple Store or a nearby Apple Authorized Service Provider. Apple Support is here to help." (https://itunes.apple.com/us/app/apple-support/id1130498044) Issue The Apple Support iOS application (version 1.1.1 and below) sends potentially sensitive information such as mobile carrier, install date and time, number of app launches, device model, iOS version and screen resolution, unencrypted to a third party site (Adobe Marketing Cloud). Impact An attacker who can monitor network traffic could capture potentially sensitive information about the iOS device without the user's knowledge. Timeline June 16, 2017 - Notified Apple via product-security@apple.com June 16, 2017 - Apple sent an auto acknowledgment June 16, 2017 - Apple responded stating that they are investigating July 10, 2017 - Asked for a status update July 10, 2017 - Apple responded stating that they are still investigating August 21, 2017 - Asked for a status update August 21, 2017 - Apple responded stating that they are still investigating August 30, 2017 - Apple released version 1.2 which sends the analytics data over an encrypted connection October 17, 2017 - Apple published a security advisory to document the issue Solution Upgrade to version 1.2 or later https://support.apple.com/en-ca/HT208201 https://support.apple.com/en-us/HT201222 CVE-ID: CVE-2017-7147


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top